pony | 115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

General

Target

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
Size

136KB
MD5

3276ed4c930c7f3f20e6492199139ea9
SHA1

d0837fc9960823be07f44439aa439018d974454f
SHA256

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304
SHA512

10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703
SSDEEP

3072:zstGUIKGNj4y6tgdYCVmRL4sjDfdTs3oRlqhdd:zstGyYsyTv8+s/fdTq

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://www.bigdaddygroup.in/wp-admin/images/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

Pony.exeWindows.exe

pid process

2628 Pony.exe
1484 Windows.exe

pid	process
2628	Pony.exe
1484	Windows.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
behavioral2/memory/2628-140-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2628-145-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-147-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-149-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-148-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-152-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-153-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-155-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2032-157-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exeWindows.exePony.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Windows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Pony.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Pony.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Pony.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Windows.exe

description pid process target process

PID 1484 set thread context of 2032 1484 Windows.exe svchost.exe

description	pid	process	target process
PID 1484 set thread context of 2032	1484	Windows.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows.exe	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
File opened for modification	C:\Program Files (x86)\Windows.exe	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4924 schtasks.exe

pid	process
4924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Pony.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2628	Pony.exe
Token: SeTcbPrivilege	2628	Pony.exe
Token: SeChangeNotifyPrivilege	2628	Pony.exe
Token: SeCreateTokenPrivilege	2628	Pony.exe
Token: SeBackupPrivilege	2628	Pony.exe
Token: SeRestorePrivilege	2628	Pony.exe
Token: SeIncreaseQuotaPrivilege	2628	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2628	Pony.exe
Token: SeImpersonatePrivilege	2032	svchost.exe
Token: SeTcbPrivilege	2032	svchost.exe
Token: SeChangeNotifyPrivilege	2032	svchost.exe
Token: SeCreateTokenPrivilege	2032	svchost.exe
Token: SeBackupPrivilege	2032	svchost.exe
Token: SeRestorePrivilege	2032	svchost.exe
Token: SeIncreaseQuotaPrivilege	2032	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2032	svchost.exe
Token: SeImpersonatePrivilege	2032	svchost.exe
Token: SeTcbPrivilege	2032	svchost.exe
Token: SeChangeNotifyPrivilege	2032	svchost.exe
Token: SeCreateTokenPrivilege	2032	svchost.exe
Token: SeBackupPrivilege	2032	svchost.exe
Token: SeRestorePrivilege	2032	svchost.exe
Token: SeIncreaseQuotaPrivilege	2032	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2032	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exeWindows.exePony.exesvchost.exe

description	pid	process	target process
PID 1404 wrote to memory of 2628	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1404 wrote to memory of 2628	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1404 wrote to memory of 2628	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1404 wrote to memory of 1484	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1404 wrote to memory of 1484	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1404 wrote to memory of 1484	1404	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1484 wrote to memory of 4924	1484	Windows.exe	schtasks.exe
PID 1484 wrote to memory of 4924	1484	Windows.exe	schtasks.exe
PID 1484 wrote to memory of 4924	1484	Windows.exe	schtasks.exe
PID 2628 wrote to memory of 4904	2628	Pony.exe	cmd.exe
PID 2628 wrote to memory of 4904	2628	Pony.exe	cmd.exe
PID 2628 wrote to memory of 4904	2628	Pony.exe	cmd.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 1484 wrote to memory of 2032	1484	Windows.exe	svchost.exe
PID 2032 wrote to memory of 2036	2032	svchost.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	svchost.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	svchost.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
"C:\Users\Admin\AppData\Local\Temp\115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Roaming\Pony.exe
  "C:\Users\Admin\AppData\Roaming\Pony.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240547781.bat" "C:\Users\Admin\AppData\Roaming\Pony.exe" "
    3⤵
    PID:4904
- C:\Program Files (x86)\Windows.exe
  "C:\Program Files (x86)\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\325115603.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4924
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240549234.bat" "C:\Windows\SysWOW64\svchost.exe" "
      4⤵
      PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
C:\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
C:\Users\Admin\AppData\Local\Temp\240547781.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240549234.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\325115603.xml

Filesize
1KB

MD5
b747561192f37f2e4b434c7b291e5b6e

SHA1
1d34431b249a3d0150810b010ac0106e590c700f

SHA256
b5157df3793ac0d4570b9cab06ac477540c368c2eb656ff122124a688e478f4c

SHA512
d0a06017bf1ad1330559878a475f7e8dd40d688decd828224db0effa670d14b854ddafacb935337ef4b75ac1ac3d24e3c80dc07881d98f097f610355418909b1

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
memory/1404-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1404-139-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1484-136-0x0000000000000000-mapping.dmp

Download
memory/1484-154-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1484-141-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2032-152-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-155-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-147-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-146-0x0000000000000000-mapping.dmp

Download
memory/2032-157-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-153-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2036-156-0x0000000000000000-mapping.dmp

Download
memory/2628-140-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2628-145-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2628-133-0x0000000000000000-mapping.dmp

Download
memory/4904-144-0x0000000000000000-mapping.dmp

Download
memory/4924-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads