pony | 12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137

General

Target

12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Size

2.2MB
MD5

c59d21cb82d80f2912ab6948e8b2484e
SHA1

589dba2677014366653eb4c9f0846c3c69408376
SHA256

12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137
SHA512

ac2e516b73b39d0b1a528caeedf11fa0d23b2e64376e5f5723af042bf417abbb444972bab824a9ba6d8735c93f0741f67cba50073f2afaa4bfdee115faf2c24f
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwb

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe

Executes dropped EXE 4 IoCs

pid	Process
2912	explorer.exe
2260	explorer.exe
840	spoolsv.exe
3112	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3560 set thread context of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 2912 set thread context of 2260	2912	explorer.exe	95

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	\??\c:\windows\system\explorer.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 1984	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	82
PID 3560 wrote to memory of 1984	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	82
PID 3560 wrote to memory of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 3560 wrote to memory of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 3560 wrote to memory of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 3560 wrote to memory of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 3560 wrote to memory of 2768	3560	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	91
PID 2768 wrote to memory of 2912	2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	92
PID 2768 wrote to memory of 2912	2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	92
PID 2768 wrote to memory of 2912	2768	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	92
PID 2912 wrote to memory of 2260	2912	explorer.exe	95
PID 2912 wrote to memory of 2260	2912	explorer.exe	95
PID 2912 wrote to memory of 2260	2912	explorer.exe	95
PID 2912 wrote to memory of 2260	2912	explorer.exe	95
PID 2912 wrote to memory of 2260	2912	explorer.exe	95
PID 2260 wrote to memory of 840	2260	explorer.exe	96
PID 2260 wrote to memory of 840	2260	explorer.exe	96
PID 2260 wrote to memory of 840	2260	explorer.exe	96
PID 2260 wrote to memory of 3112	2260	explorer.exe	97
PID 2260 wrote to memory of 3112	2260	explorer.exe	97
PID 2260 wrote to memory of 3112	2260	explorer.exe	97

C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
"C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
  "C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
9f971f6e070ca2ba113b1ab1730a75f4

SHA1
ce68e0ffc19c3db755e8f7bb2fd9df9d30a7dce3

SHA256
58325e61b8bd4c5cad7a26db4d663e192f4c7fcf976ad4d008b5b7ce6a5e0f2a

SHA512
de5aae729dd5bcc3f66ccf5ef551149290a0473a2f1d3d2e18a191971e5172d075de86308360ad0838a40e21e0de6d8c241a898a356a6a723a072bd44b71fef8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
e2b544586ce8cbde3d6e55f707c652f0

SHA1
ae425f47ab50493d4852827b40d330521183e38f

SHA256
f8c217dbf1ce8cdedbb848143afe8ba364f2b1c0d11e1dab04193aeee9e2dfd2

SHA512
0b5aceaa04307188cdbe0dcc2bfb063e4b7b0c521f99b2691daf998ef02c9a80053a47bfe34e676f1bde523ca1a08a783293ed201bfaed963de798af89897f56

Download Submit
memory/2260-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-83-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2768-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2912-100-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3560-46-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3560-55-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3560-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3560-47-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads