pony | 5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc

Analysis

max time kernel
60s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
Size

2.2MB
MD5

a9d5ff4bb5fc6dd05f1fedb9e9f67052
SHA1

d2fe26c4b3505c76e5f8001edc7525c68d26710f
SHA256

5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc
SHA512

769d627280cb2edd8cc13e3789e78ce9736e321a888c971f4a8a8708033fc1a158849c294004af167613550f94e3df45ca04d202b68144c28a55c2a23b105e75
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZW:0UzeyQMS4DqodCnoe+iitjWwwa

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	explorer.exe
2088	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 1948 set thread context of 2088	1948	explorer.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
File opened for modification	\??\c:\windows\system\explorer.exe	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
2088	explorer.exe
2088	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1744	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	29
PID 2176 wrote to memory of 1744	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	29
PID 2176 wrote to memory of 1744	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	29
PID 2176 wrote to memory of 1744	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	29
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2176 wrote to memory of 2724	2176	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	30
PID 2724 wrote to memory of 1948	2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	31
PID 2724 wrote to memory of 1948	2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	31
PID 2724 wrote to memory of 1948	2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	31
PID 2724 wrote to memory of 1948	2724	5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe	31
PID 1948 wrote to memory of 2088	1948	explorer.exe	32
PID 1948 wrote to memory of 2088	1948	explorer.exe	32
PID 1948 wrote to memory of 2088	1948	explorer.exe	32
PID 1948 wrote to memory of 2088	1948	explorer.exe	32
PID 1948 wrote to memory of 2088	1948	explorer.exe	32
PID 1948 wrote to memory of 2088	1948	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
"C:\Users\Admin\AppData\Local\Temp\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe
  "C:\Users\Admin\AppData\Local\Temp\5ffa8c913609a3b6c075d05d06b41d5e552fd42beed5d2f5554f7d58929323fc.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
61e54a80d08d8a7f13baf84c0d8ee622

SHA1
c198436f419cc05b5db99fe8679e938c1272361e

SHA256
5a509e41a9633ec797508c955d89c704dbf84ca4d6632a5f64ae727d35656f96

SHA512
94cfc7245600f67b39b93d8a6afda5d472af369d6a1e15a4f2016c778560c76a38b48564e2cce92c703f61c90f7b63db9d9e1b460b37eefc60bcd31022c7d64b

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
638KB

MD5
31ad004e92c4c9c8974484dc04b8608f

SHA1
1904cef7eb852dfd11902b4d2c6978568cfc565c

SHA256
3615645acc9c3b36469575afc9752ae7b50a69069c8e30b6223e35e6e42657e3

SHA512
fa1a74bd3136f57eaee6e895842020166cfacbd162accd3d426124118f4a3d6160a382ca03a7e824ec6a5f1b9f6572792faab9fbaf7305184b0ecf55f961b837

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
c6b1da10c457b8016ede2f21c8594341

SHA1
25faba4fca4f0a9aeaf49442d3e8ad54a9bc21bd

SHA256
10e1c5c61823e4d85de08ed51bddec1745602736806681216d3a54de201de0c8

SHA512
12dfcf06d5a24c30432728bf0cb9be94f7caf9d6e32a456b1fef4b1190d1173854214647c3c4e1e14dd6aefcc3b3eaf9c862ebd7b62afd8ff0e2fd0aaffab337

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.7MB

MD5
bd9ab5b50e8379391086555731e5443e

SHA1
18db04f0fb9055731aa271a241c535e10867b43a

SHA256
dd9669fc2732536f1911025a008ebd6dd19ac3bb2095b1f6cc072d8e43b44053

SHA512
b0d35d6a6a3c062cbb9af07680cc6b2c308f85d5841fe4293b928e00a7c6fa4290777a4431d33b80cd74cd7693e65981ae10c31a6edbeb608a8869e1a2a6b2a3

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.6MB

MD5
47afafc6a6cc71a6906bbb25ded79a16

SHA1
b5650827c052224a156a495e2ff7f67daddcc7a4

SHA256
6e9fe51f68f629e8c769e50054d96235babcb9051d7dff9995cc55319cf5b98c

SHA512
e88a2f09686454260390b0390d92cb2403540ba085cdcd58c06d27e23a3c31a7a2e7a050582a901c3dae3faea9d01b60486d980d0a6ccc0cf8ddd24ec6e17767

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.0MB

MD5
31e53e35886b9b26c5d1fc418cfadcdf

SHA1
b0c1b077c178d09872db454f64d59aad405fdf5b

SHA256
ca4c61912f914070fdcca2b21e2af1133068ef2d68df529467f70dd31c5878d9

SHA512
266a7df934e486927893976a761ca5b3f43eb34568613847d731df9493532ff16aca922a0073a603bce4cde2677df5645ceb55779967a2d038beabb024720bd1

Download Submit
\Windows\system\spoolsv.exe

Filesize
611KB

MD5
83c21d83878278beed62f7e326b222a6

SHA1
d97ba64ccdf7bae05ce3e4918becf174b0fcefb1

SHA256
977c14a99964eed077cb0eafcfa2979c9de68d739a161403a4627429d175408c

SHA512
d1d60da53d600e40aba71f744e5440c9f811d5a5056e9321e71482e09aa2b12f84bdc8d56c9f2c4590bc75bb55607fdfd07be96d6be18b563d9da99ab7089a61

Download Submit
\Windows\system\spoolsv.exe

Filesize
704KB

MD5
d7d8be8e2793aa0c8084526007e52a5e

SHA1
15fd5b2635834afec9623a418b2074f00a2618c6

SHA256
8480da782354a333ffcbb392c9e48aed82a49a1eb636941971ca4695d99b874d

SHA512
d91e4890d27d8be50df9a8c19e6b8b25eb7639d40825f6e85372978d66d19c405c5cf13fafb732278f959549465a001d6bf6ff3040a2f3e0a8259b07d05c1076

Download Submit
\Windows\system\spoolsv.exe

Filesize
64KB

MD5
fc4708de749c295e8b2af1df1a416869

SHA1
d74d14d78e8e7e7b54402275c335d8c2770d10c4

SHA256
a9fcf7fcf030f278191b7820e5e0a11818764b42d42ba7c7b3eee5c4c2ed3f02

SHA512
1b0d803c3a06b6ed556cbe59699ce77067caf91bb0c6118606adfe7a5eb3c2a2f39cd4bb45f31811d2900d866fa3872ff64b4cc636936649cf0621c93ec9a1be

Download Submit
\Windows\system\spoolsv.exe

Filesize
49KB

MD5
8510e9124cb8a1674f08092bee676b4c

SHA1
512bdfd1817b8e58d09e66918fc736d3c0ed1c20

SHA256
2589cf88ef65ec0faaedb548b3c5bcc4332fd26215937214b859fb838c454a36

SHA512
dc11001f77509beade9c15643be8964bab32da0caaf4e773e0c98c805ecf745343627f06d9e5b205e0e78188739e332f0516987fa1770402d7f2f65de26023a4

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
774d52861d131520a804a10844752db6

SHA1
22d3b2b383924b7286db0253c7579dc543c25002

SHA256
6393c66b6b70f32bc4b447deebd6d29a8bdb600dd94655b3e33d286a731122d9

SHA512
a98c50de80187fe364031e137752a03c889097fd960887567063a296332018781655975e002d98289bea7b8861c0950aa8fe66a6d22645feda17419c7afaeb83

Download Submit
memory/1948-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1948-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1948-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2176-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2176-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2176-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2176-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download