pony | 203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe
Size

291KB
MD5

e1c3629119f5302d063ffdc6b12ea3b0
SHA1

f00fcee9d817012bd14477dc4ca1168a8768e4a2
SHA256

203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983
SHA512

a9973c250c8d0f58d66e490f0849ff521dbb8deb910999d136d12b59b1d55d7f13ecb8cba27229d3cede1cf9a92666026eef9d88d8c1c62f9455640eb5b66631
SSDEEP

6144:TTDGSslfdUY26SmrEsNU8BsR3E5BOiUgUAUaBvS9ltGrnRgCm:JsyUEYBscB13UAOenGl

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe
1868	DllHost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1128-29-0x00000000037F0000-0x0000000003806000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{5b173c63-dd34-ea8a-4551-5120cc9b3e67}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5b173c63-dd34-ea8a-4551-5120cc9b3e67}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5b173c63-dd34-ea8a-4551-5120cc9b3e67}\cid = "3739410188725659419"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31
PID 1128 wrote to memory of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31
PID 1128 wrote to memory of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31
PID 1128 wrote to memory of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31
PID 1128 wrote to memory of 2840	1128	203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe	31
PID 2840 wrote to memory of 332	2840	explorer.exe	2
PID 332 wrote to memory of 848	332	csrss.exe	13
PID 332 wrote to memory of 1868	332	csrss.exe	32
PID 332 wrote to memory of 760	332	csrss.exe	33
PID 332 wrote to memory of 760	332	csrss.exe	33

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe
"C:\Users\Admin\AppData\Local\Temp\203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\explorer.exe
  000001D0*
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1868

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
d3bd9c7e7a29daa24c66dc62cd5f5633

SHA1
3895247052b6244659e73334e6398677dafa0ac1

SHA256
6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

SHA512
e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
d3a3043dbd27a1ecccb88347d5947cdc

SHA1
f73fa833578b5c1b595595fcff765c14a5ffd765

SHA256
e1694aa3ccf4f25f7d2c0b9c5ed7610621f694df0f0b4bd63c1a3245336cfad8

SHA512
c7dd612a5c5bc6c527109bf59377a2da8f56e8c6dfc279c24b8e1d6a7a6763bf183372b59e8cd6481cc7a24c5f9f3b12f0b10c7b5c9c53946975083f14ed0739

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
ff7d5ec20bf73c02317e7a740fffe018

SHA1
365ac8cfe5b939854cc1c341caf051bcc45f9372

SHA256
1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

SHA512
30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
3e7a118b119428247edfc5d5ef3761bc

SHA1
140e4cb00107678160411f016c4c17611580a209

SHA256
97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

SHA512
b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

Download Submit
memory/332-19-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/332-31-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/332-20-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/848-42-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/848-34-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/848-50-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/848-38-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/848-45-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/848-43-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/1128-30-0x0000000000400000-0x000000000044CA00-memory.dmp

Filesize
306KB

Download
memory/1128-29-0x00000000037F0000-0x0000000003806000-memory.dmp

Filesize
88KB

Download
memory/1128-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1128-24-0x0000000000400000-0x000000000044CA00-memory.dmp

Filesize
306KB

Download
memory/1128-0-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1128-49-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1128-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-8-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/2840-13-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/2840-2-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/2840-3-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download