pony | a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

General

Target

a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Size

147KB
MD5

84fb7ae55623298b8e648ff5c7dc2115
SHA1

1af05edd024bf064f1d03c640ab6a09b3a3f0d7c
SHA256

a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde
SHA512

401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e
SSDEEP

3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://sweet0rium.com/dd/Panel/gate.php

http://www.sweet0rium.com/dd/Panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

asdqw67728263020026206530INVOICES.exeFind.exe

pid process

884 asdqw67728263020026206530INVOICES.exe
1132 Find.exe

pid	process
884	asdqw67728263020026206530INVOICES.exe
1132	Find.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-90-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-92-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-93-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-96-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-99-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-100-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-102-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-103-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1704-105-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

asdqw67728263020026206530INVOICES.exe

pid process

884 asdqw67728263020026206530INVOICES.exe
884 asdqw67728263020026206530INVOICES.exe
884 asdqw67728263020026206530INVOICES.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
884	asdqw67728263020026206530INVOICES.exe
884	asdqw67728263020026206530INVOICES.exe
884	asdqw67728263020026206530INVOICES.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ggg = "C:\\ProgramData\\Find.exe"	reg.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Find.exeasdqw67728263020026206530INVOICES.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	asdqw67728263020026206530INVOICES.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	asdqw67728263020026206530INVOICES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Find.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Find.exe

description pid process target process

PID 1132 set thread context of 1704 1132 Find.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

asdqw67728263020026206530INVOICES.exe

pid process

884 asdqw67728263020026206530INVOICES.exe

description	pid	process	target process
PID 1132 set thread context of 1704	1132	Find.exe	vbc.exe

pid	process
884	asdqw67728263020026206530INVOICES.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

asdqw67728263020026206530INVOICES.exeFind.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	884	asdqw67728263020026206530INVOICES.exe
Token: SeDebugPrivilege	1132	Find.exe
Token: SeImpersonatePrivilege	1704	vbc.exe
Token: SeTcbPrivilege	1704	vbc.exe
Token: SeChangeNotifyPrivilege	1704	vbc.exe
Token: SeCreateTokenPrivilege	1704	vbc.exe
Token: SeBackupPrivilege	1704	vbc.exe
Token: SeRestorePrivilege	1704	vbc.exe
Token: SeIncreaseQuotaPrivilege	1704	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1704	vbc.exe
Token: SeImpersonatePrivilege	1704	vbc.exe
Token: SeTcbPrivilege	1704	vbc.exe
Token: SeChangeNotifyPrivilege	1704	vbc.exe
Token: SeCreateTokenPrivilege	1704	vbc.exe
Token: SeBackupPrivilege	1704	vbc.exe
Token: SeRestorePrivilege	1704	vbc.exe
Token: SeIncreaseQuotaPrivilege	1704	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1704	vbc.exe
Token: SeImpersonatePrivilege	1704	vbc.exe
Token: SeTcbPrivilege	1704	vbc.exe
Token: SeChangeNotifyPrivilege	1704	vbc.exe
Token: SeCreateTokenPrivilege	1704	vbc.exe
Token: SeBackupPrivilege	1704	vbc.exe
Token: SeRestorePrivilege	1704	vbc.exe
Token: SeIncreaseQuotaPrivilege	1704	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1704	vbc.exe
Token: SeImpersonatePrivilege	1704	vbc.exe
Token: SeTcbPrivilege	1704	vbc.exe
Token: SeChangeNotifyPrivilege	1704	vbc.exe
Token: SeCreateTokenPrivilege	1704	vbc.exe
Token: SeBackupPrivilege	1704	vbc.exe
Token: SeRestorePrivilege	1704	vbc.exe
Token: SeIncreaseQuotaPrivilege	1704	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1704	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1160 java.exe

pid	process
1160	java.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

java.execmd.exeasdqw67728263020026206530INVOICES.execmd.exeFind.exevbc.exe

description	pid	process	target process
PID 1160 wrote to memory of 1084	1160	java.exe	cmd.exe
PID 1160 wrote to memory of 1084	1160	java.exe	cmd.exe
PID 1160 wrote to memory of 1084	1160	java.exe	cmd.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 1084 wrote to memory of 884	1084	cmd.exe	asdqw67728263020026206530INVOICES.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 864	884	asdqw67728263020026206530INVOICES.exe	cmd.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 884 wrote to memory of 1132	884	asdqw67728263020026206530INVOICES.exe	Find.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 864 wrote to memory of 924	864	cmd.exe	reg.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1132 wrote to memory of 1704	1132	Find.exe	vbc.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe
PID 1704 wrote to memory of 1740	1704	vbc.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe"
5⤵
- Adds Run key to start application
PID:924

C:\ProgramData\Find.exe
"C:\ProgramData\Find.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7369705.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
6⤵
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Find.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7369705.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
memory/864-80-0x0000000000000000-mapping.dmp

Download
memory/884-85-0x0000000072E10000-0x00000000733BB000-memory.dmp

Filesize
5.7MB

Download
memory/884-74-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/884-72-0x0000000000000000-mapping.dmp

Download
memory/884-78-0x0000000072E10000-0x00000000733BB000-memory.dmp

Filesize
5.7MB

Download
memory/884-79-0x0000000072E10000-0x00000000733BB000-memory.dmp

Filesize
5.7MB

Download
memory/924-86-0x0000000000000000-mapping.dmp

Download
memory/1084-69-0x0000000000000000-mapping.dmp

Download
memory/1132-81-0x0000000000000000-mapping.dmp

Download
memory/1132-88-0x0000000072860000-0x0000000072E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-101-0x0000000072860000-0x0000000072E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-68-0x0000000002220000-0x0000000005220000-memory.dmp

Filesize
48.0MB

Download
memory/1160-54-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/1160-64-0x0000000002220000-0x0000000005220000-memory.dmp

Filesize
48.0MB

Download
memory/1704-92-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-93-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-94-0x000000000041AF70-mapping.dmp

Download
memory/1704-96-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-99-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-90-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-100-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-102-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-103-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-105-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1704-89-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1740-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads