pony | b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pfZVX.doc
Size

221KB
MD5

28e855032f83adbd2d8499af6d2d0e22
SHA1

6b590325e2e465d9762fa5d1877846667268558a
SHA256

b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512

e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://fouseevenghedt.ru/gate.php

http://biledroben.ru/gate.php

http://rohironrof.ru/gate.php

Attributes

payload_url
http://eloraestate.com/wp-content/plugins/prism-highlight/opera1.exe

http://edmontonlimo247.com/wp-content/plugins/prism-highlight/opera1.exe

http://dgfcomercial.com.br/wp-content/plugins/prism-highlight/opera1.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
3032	8tr.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-92-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/3032-97-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	8tr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8tr.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1728	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	8tr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3032	8tr.exe
Token: SeTcbPrivilege	3032	8tr.exe
Token: SeChangeNotifyPrivilege	3032	8tr.exe
Token: SeCreateTokenPrivilege	3032	8tr.exe
Token: SeBackupPrivilege	3032	8tr.exe
Token: SeRestorePrivilege	3032	8tr.exe
Token: SeIncreaseQuotaPrivilege	3032	8tr.exe
Token: SeAssignPrimaryTokenPrivilege	3032	8tr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1728	WINWORD.EXE
1728	WINWORD.EXE
1956	WINWORD.EXE
1956	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2768	1728	WINWORD.EXE	30
PID 1728 wrote to memory of 2768	1728	WINWORD.EXE	30
PID 1728 wrote to memory of 2768	1728	WINWORD.EXE	30
PID 1728 wrote to memory of 2768	1728	WINWORD.EXE	30
PID 1728 wrote to memory of 3032	1728	WINWORD.EXE	32
PID 1728 wrote to memory of 3032	1728	WINWORD.EXE	32
PID 1728 wrote to memory of 3032	1728	WINWORD.EXE	32
PID 1728 wrote to memory of 3032	1728	WINWORD.EXE	32
PID 3032 wrote to memory of 476	3032	8tr.exe	33
PID 3032 wrote to memory of 476	3032	8tr.exe	33
PID 3032 wrote to memory of 476	3032	8tr.exe	33
PID 3032 wrote to memory of 476	3032	8tr.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\pfZVX.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\8tr.exe
  C:\Users\Admin\AppData\Local\Temp\8tr.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    - System Location Discovery: System Language Discovery
    PID:476

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BB61864.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tr.exe

Filesize
178KB

MD5
c028f68109fd975e9aed790087fe1457

SHA1
8086b95ae4f58529e2941aa4c532d8c584af1024

SHA256
5c05db8164a6d51dd483cbe8eddb1d0c21aecf432ef75f5dc5a0a2fc0b711657

SHA512
d22c6fe16c97890866f12ca1c7ab98d6242f997e3b84a2ced243830079693d7896f9bf7374a4c54e6d4155fa838b91064794918e5840805f58c72e619a54da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
802KB

MD5
9ab1293f32d6b2878070ed63fa09fe23

SHA1
072e63ef849d1e96380e80d7882a667fe1e8e1f3

SHA256
a70bd17db34712d1e14ab7d3357b53bfceaa9e48c08e7ceca5011e46374095a8

SHA512
524d6a6dfcf531196ce8a9476f3c2c85abf81f722e53fa49d42a605f6de8e4fba4635b053b9e1b4953b0b63c7d4d4bfb98941c42ee6f0153ff79b45c9896eab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
802KB

MD5
e79e771f59a2ecc0615f967e4bb77c8a

SHA1
d4c1ffce5612b235bacff6cf93c51b1da6d9d88b

SHA256
119d614c24e302d55626c8a2d24e8faba98ea83c0d959dc6afbbc2d40c12d763

SHA512
1891e6633b4b20ba76cd1ecb5f5fa14df648589a547575fd535f547c5960c5de79c38d17cb16432899c231d9042d4646a216b6a5dceae9bc1b084d045c8d9bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
317B

MD5
69f0ea0590db046cb93e1a97732b13c6

SHA1
7231cb2a6c3deb9fe430526da33e0b9ccf9d3759

SHA256
51fa7c841095a811cb2095e4fb17baff3968ea059f1ca5408e8f0020b4bf2728

SHA512
f811c5661e44d0ff5daff34bca5ad2828c6c31bbc631da5d99ee0f408122f3af10f030fdc2f9e67aa8f358dec5124b6619b65cb08d2a3fdd04acc88a815a0007

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
046102bc9fa182f701e9ba644fbafdff

SHA1
2a2bd6264c2f5f005ef8367c120b13b9766d7253

SHA256
358f766e00c9d897b4cbd73db7d74b8a10fc0df6b28598d4d01064af1c05da08

SHA512
f91d98f1af7492105bb5c3419d7e99b9bb4d7b5b18574d7118c737b1394f3a1ddb54ef99bd36cbca535305ffed3e6280008a92ef7e893e1c938564ee10c576be

Download Submit
memory/1728-16-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-33-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-5-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-17-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-42-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-44-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-43-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-41-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-40-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-39-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-37-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-36-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-35-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-13-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-32-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-31-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-30-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-29-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-28-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-27-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-26-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-25-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-23-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-24-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-22-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-21-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-20-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-18-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-2-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1728-53-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-14-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-164-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1728-4-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-73-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-69-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-67-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-72-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-71-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-70-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-68-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-12-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-10-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-9-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-8-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-7-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-6-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-34-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-77-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1728-85-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-84-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-86-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-88-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-0-0x000000002FB41000-0x000000002FB42000-memory.dmp

Filesize
4KB

Download
memory/1728-15-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1728-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-95-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1956-96-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1956-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1956-78-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/1956-75-0x000000002FB41000-0x000000002FB42000-memory.dmp

Filesize
4KB

Download
memory/1956-119-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/3032-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3032-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download