pony | a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

General

Target

a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Size

147KB
MD5

84fb7ae55623298b8e648ff5c7dc2115
SHA1

1af05edd024bf064f1d03c640ab6a09b3a3f0d7c
SHA256

a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde
SHA512

401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e
SSDEEP

3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://sweet0rium.com/dd/Panel/gate.php

http://www.sweet0rium.com/dd/Panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

asdqw74006004306124631850INVOICES.exeFind.exe

pid process

3748 asdqw74006004306124631850INVOICES.exe
2448 Find.exe

pid	process
3748	asdqw74006004306124631850INVOICES.exe
2448	Find.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1300-155-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1300-157-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1300-158-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1300-160-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1300-162-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

asdqw74006004306124631850INVOICES.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	asdqw74006004306124631850INVOICES.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggg = "C:\\ProgramData\\Find.exe"	reg.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Find.exeasdqw74006004306124631850INVOICES.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	asdqw74006004306124631850INVOICES.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	asdqw74006004306124631850INVOICES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Find.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Find.exe

description pid process target process

PID 2448 set thread context of 1300 2448 Find.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2448 set thread context of 1300	2448	Find.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

asdqw74006004306124631850INVOICES.exeFind.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3748	asdqw74006004306124631850INVOICES.exe
Token: SeDebugPrivilege	2448	Find.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeTcbPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeCreateTokenPrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1300	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

3528 java.exe

pid	process
3528	java.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

java.execmd.exeasdqw74006004306124631850INVOICES.execmd.exeFind.exevbc.exe

description	pid	process	target process
PID 3528 wrote to memory of 4036	3528	java.exe	cmd.exe
PID 3528 wrote to memory of 4036	3528	java.exe	cmd.exe
PID 4036 wrote to memory of 3748	4036	cmd.exe	asdqw74006004306124631850INVOICES.exe
PID 4036 wrote to memory of 3748	4036	cmd.exe	asdqw74006004306124631850INVOICES.exe
PID 4036 wrote to memory of 3748	4036	cmd.exe	asdqw74006004306124631850INVOICES.exe
PID 3748 wrote to memory of 2728	3748	asdqw74006004306124631850INVOICES.exe	cmd.exe
PID 3748 wrote to memory of 2728	3748	asdqw74006004306124631850INVOICES.exe	cmd.exe
PID 3748 wrote to memory of 2728	3748	asdqw74006004306124631850INVOICES.exe	cmd.exe
PID 2728 wrote to memory of 3096	2728	cmd.exe	reg.exe
PID 2728 wrote to memory of 3096	2728	cmd.exe	reg.exe
PID 2728 wrote to memory of 3096	2728	cmd.exe	reg.exe
PID 3748 wrote to memory of 2448	3748	asdqw74006004306124631850INVOICES.exe	Find.exe
PID 3748 wrote to memory of 2448	3748	asdqw74006004306124631850INVOICES.exe	Find.exe
PID 3748 wrote to memory of 2448	3748	asdqw74006004306124631850INVOICES.exe	Find.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 2448 wrote to memory of 1300	2448	Find.exe	vbc.exe
PID 1300 wrote to memory of 3584	1300	vbc.exe	cmd.exe
PID 1300 wrote to memory of 3584	1300	vbc.exe	cmd.exe
PID 1300 wrote to memory of 3584	1300	vbc.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe"
5⤵
- Adds Run key to start application
PID:3096

C:\ProgramData\Find.exe
"C:\ProgramData\Find.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240608843.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
6⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Find.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\240608843.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe
Filesize
165KB

MD5
ddfeb9dd1daa1c89a2a2054dfadabd86

SHA1
3fd8ad5d2a01d238027440d257abecb3e275a2cd

SHA256
ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7

SHA512
4928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f

Download Submit
memory/1300-154-0x0000000000000000-mapping.dmp

Download
memory/1300-162-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1300-160-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1300-158-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1300-157-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1300-155-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2448-152-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/2448-150-0x0000000000000000-mapping.dmp

Download
memory/2448-159-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/2728-148-0x0000000000000000-mapping.dmp

Download
memory/3096-149-0x0000000000000000-mapping.dmp

Download
memory/3528-134-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/3584-161-0x0000000000000000-mapping.dmp

Download
memory/3748-153-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/3748-147-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/3748-144-0x0000000000000000-mapping.dmp

Download
memory/4036-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads