pony | c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85

General

Target

c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Size

80KB
MD5

a02384c9fff09d0a49469d05e6cbb57a
SHA1

044486f2b47210539e2ccf6d51df4ca7fda676f6
SHA256

c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85
SHA512

8472764fe48e03d18f3ff10967cf5eed0c75266bf27ec33d409ee394776ece550f1d7a5f28175bed24fba28bfe6b9e9d00e53db008c28b2f06afc2b806642080
SSDEEP

1536:3fq6HEuN8BHbg3qAteHCOYAYUOuz0vXiIbYiVlV+Peu5ruBff4TGWIQ367o:FN8BH0MhWxXrV+mvBH4Th3

Score

10^/10

pony discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://saleryplax.info:2346/pony/mac.php

http://derotins.info:2346/pony/mac.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops file in Drivers directory 4 IoCs

Processes:

c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\test	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
File created	C:\Windows\system32\drivers\etc\hosts.sam	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts.sam	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1716-62-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1716-65-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1364	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7093100 = "cmd.exe /c copy C:\\Users\\Admin\\AppData\\Local\\Temp\\7092803FdOh C:\\Windows\\system32\\drivers\\etc\\hosts /Y && attrib +H C:\\Windows\\system32\\drivers\\etc\\hosts /f"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

600 PING.EXE

pid	process
600	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe

description	pid	process
Token: SeImpersonatePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeTcbPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeChangeNotifyPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeCreateTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeBackupPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeRestorePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeIncreaseQuotaPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeAssignPrimaryTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeImpersonatePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeTcbPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeChangeNotifyPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeCreateTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeBackupPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeRestorePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeIncreaseQuotaPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeAssignPrimaryTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeImpersonatePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeTcbPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeChangeNotifyPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeCreateTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeBackupPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeRestorePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeIncreaseQuotaPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeAssignPrimaryTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeImpersonatePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeTcbPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeChangeNotifyPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeCreateTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeBackupPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeRestorePrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeIncreaseQuotaPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Token: SeAssignPrimaryTokenPrivilege	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.execmd.execmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 1716 wrote to memory of 1808	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1808	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1808	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1808	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 544	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 544	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 544	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 544	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 544 wrote to memory of 556	544	cmd.exe	reg.exe
PID 544 wrote to memory of 556	544	cmd.exe	reg.exe
PID 544 wrote to memory of 556	544	cmd.exe	reg.exe
PID 544 wrote to memory of 556	544	cmd.exe	reg.exe
PID 1808 wrote to memory of 1148	1808	cmd.exe	at.exe
PID 1808 wrote to memory of 1148	1808	cmd.exe	at.exe
PID 1808 wrote to memory of 1148	1808	cmd.exe	at.exe
PID 1808 wrote to memory of 1148	1808	cmd.exe	at.exe
PID 1716 wrote to memory of 1364	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1364	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1364	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1716 wrote to memory of 1364	1716	c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe	cmd.exe
PID 1364 wrote to memory of 600	1364	cmd.exe	PING.EXE
PID 1364 wrote to memory of 600	1364	cmd.exe	PING.EXE
PID 1364 wrote to memory of 600	1364	cmd.exe	PING.EXE
PID 1364 wrote to memory of 600	1364	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1676	1632	taskeng.exe	cmd.exe
PID 1632 wrote to memory of 1676	1632	taskeng.exe	cmd.exe
PID 1632 wrote to memory of 1676	1632	taskeng.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
"C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y && at 04:20:00 cmd.exe /c copy %TEMP%\7092803FdOh %WINDIR%\system32\drivers\etc\hosts /Y
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\at.exe
at 04:20:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7093100 /t REG_SZ /d "cmd.exe /c copy %TEMP%\7092803FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7093100 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f
3⤵
- Adds Run key to start application
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 127.0.0.1
3⤵
- Runs ping.exe
PID:600

C:\Windows\system32\taskeng.exe
taskeng.exe {C9D066FF-8046-4598-A12A-7701D8B62EFD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y
2⤵
- Drops file in Drivers directory
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7092803FdOh
Filesize
1KB

MD5
5d6101e933aed727c338916ae90aa7cd

SHA1
8d63692efbbcb7ab9c948234c32985f6edaafa82

SHA256
aa2afab0a97cd879fbb30ebd8883b18b3358339583bcb7cc5cf1da8c75de6aad

SHA512
5c9ab5692b86f80d2d420218927b4d8673b599a0ef89d6c419ab12aaa12dbc023cd2e356a2f7d8d6ec07b7ee3467bfe8c0db58202fb8a6ec1d04a929529af9d9

Download Submit
memory/544-58-0x0000000000000000-mapping.dmp

Download
memory/556-59-0x0000000000000000-mapping.dmp

Download
memory/600-66-0x0000000000000000-mapping.dmp

Download
memory/1148-60-0x0000000000000000-mapping.dmp

Download
memory/1364-64-0x0000000000000000-mapping.dmp

Download
memory/1676-67-0x0000000000000000-mapping.dmp

Download
memory/1716-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-63-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1716-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-56-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1716-55-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1808-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads