pony | 3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93

Analysis

max time kernel
60s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Size

2.2MB
MD5

e7595e9d40c33273c78cf56223eadb6e
SHA1

a5ae2b361bc54587690980c5355c80861c36a7f4
SHA256

3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93
SHA512

cf63fa995f07a2d65d2ac5a741305193705f84510921326b5c652aecc1cb29e4830609544d1eab3fca95e5fdfa181a253a39d4a027846f0f06ed2ba8974ccdab
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZQ:0UzeyQMS4DqodCnoe+iitjWwwM

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Executes dropped EXE 2 IoCs

pid	Process
2960	explorer.exe
2184	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2960 set thread context of 2184	2960	explorer.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2904	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	29
PID 2364 wrote to memory of 2904	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	29
PID 2364 wrote to memory of 2904	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	29
PID 2364 wrote to memory of 2904	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	29
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2364 wrote to memory of 2988	2364	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	30
PID 2988 wrote to memory of 2960	2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	31
PID 2988 wrote to memory of 2960	2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	31
PID 2988 wrote to memory of 2960	2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	31
PID 2988 wrote to memory of 2960	2988	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	31
PID 2960 wrote to memory of 2184	2960	explorer.exe	32
PID 2960 wrote to memory of 2184	2960	explorer.exe	32
PID 2960 wrote to memory of 2184	2960	explorer.exe	32
PID 2960 wrote to memory of 2184	2960	explorer.exe	32
PID 2960 wrote to memory of 2184	2960	explorer.exe	32
PID 2960 wrote to memory of 2184	2960	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
"C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
  "C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.1MB

MD5
86f8dae84e341737bdca324aae783a45

SHA1
def038207760dbe7131f2b67f469e2614e4330bf

SHA256
9dabd20c877bf2d0cac8d1ad32f204226990a1466644787ba312e5ae23523af9

SHA512
45ca52d842723fd846f6127980595d66ab1962d9ddae12ca606506eac9026317dbfd619e2896d6c62cbd930de8a0fe575e8056c6a5aa030aed8e47cc19279a52

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
834KB

MD5
2c405dc241138e33563e85a7d549d9ac

SHA1
13d4690f92f7982c3fe4a3979a378145482c0cd0

SHA256
59c6c940b4f3a7be7b048ce15106799d2a5aaf5a06abb524b2cd55aecd1edc2d

SHA512
729b01ca059e58f0e6852ab05fd1d1c0f5e57f5a7de6a7009b6d273e408bb6092de2d3cf1a5891ffff26c7211a8fadd34b31eab127646896552fa3824d02beac

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
556KB

MD5
fc0a578badf0f4f8c57e3fc59e7010ac

SHA1
1cbcb2fc4d956ccfda8ee6ec99cc1930c4b549bd

SHA256
f1ac7724e9704f11f582c4e9243f6308df22e48aacb85e7613ad129a5261f3f8

SHA512
68bce533b50272ec2c66f74d4eb583e037dd4eecc53aba7ffbe709ee2048c19f88a65586f0decf5eb26d2742967befcf39769d456785f49773fcc992eca80375

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
295KB

MD5
559a8e598c806abeb37a9a2d855604a0

SHA1
3144f33c8e62f375ceb2aa0aa61ead9348f4ea98

SHA256
a9eb9406e87fb7981cc787d9fbfc2fcb935f51def11b8160831f49f71231ef56

SHA512
48837b497dddeb80cc606368ef2b3921b8597ffe5b55250a5a5e27a95c8f9486f982c3bf4c66b767e90600090ebe09ffe19b57f70fc4cc8409b0891b640f7c15

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
341KB

MD5
17f3d7b120c9a37dc28e7bb959be3114

SHA1
da3b4e2b2ee623030350d5cd65c880cf0d43ebf2

SHA256
e5ba22fa52c1f2489dfa6f65b97c22c9486c0477cc0ba7772eec68947c64935c

SHA512
f723eb760753e900b03a9ca15193b37c6a2948daac8e86b5db9e0bd59f3248019fb44d5485bbd050454b2f19de8e81788e0ce0780b5d36e4eed9e6a1aa7f01d3

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
85KB

MD5
5bf884bbb238562661b0f5fdc8be95b4

SHA1
b2f3015ba97c7ee0bca4604948e6538f4bbe7947

SHA256
0fa48af24068a56c4aaaa42e22d4539c00e8a212c73d51c6653274e4c186324a

SHA512
66c8165325b29a23250681f9e3523dc3a813dbb4027138994b4263476b03a1bf7608dae018c8a84cfc43a471359587eb50ea00331068efca3d239cc77dbaf221

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
b4afb6333625e2228ee9fe1b250fa966

SHA1
8e5a44b515c33874a53404a947902afc70c6210b

SHA256
1fa650eba393c9909fc24a1938c3fbd67c2df2bd4b742e2d9c655e135cb784c8

SHA512
8c636423ccc937a55e6f00bfb8b6a31f9070fc9a817f32154811ad11b8dd29b1343670268104aac7523e1bac52de4f6377f7ff4e36471eaae5173fc3deaec5e6

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
1.8MB

MD5
932dbfe75de86eca234aa3ebe0a8e679

SHA1
32884444cf9e9287b1fe744eb0f5ac243d1bc35c

SHA256
6cd24525ff105f8d962a2b3dfd94057d4e5f63b6567179f5bb3065a1714806fc

SHA512
43d793dfa1e151a7275da82f385352fb595b82850837dad143109a5f305c9ad04d28b7551746321b19cade4b59002db50d3e10b961de9dd20b1bfd679e2b6a2a

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
e439f9ed638f262ceb2aabfebbe455e8

SHA1
ae890baf17f4b2b354bfa2f21cdc61b4e3032ff6

SHA256
071392197818222410442d6c5a5d726b4f25a46b3f98c9d833e5fb832ea86977

SHA512
38f5f5b6e0fed6f803c822ff19833c95a73a32d6b98a1c018b64293850c6e5a58c6994dd5ea48514c73f7507aa930068341d1549348ecfd9701c539be1ca99ae

Download Submit
\Windows\system\spoolsv.exe

Filesize
648KB

MD5
8d568f78bd25f10ed17c76e4e04c8bcd

SHA1
11bd292b049a92b755d42957274124f5434e4145

SHA256
d38a7b6cf615ca38154edd7320a7327e2ec86ec4979b18606e57e1903e9d9cfc

SHA512
318439ce5d49e4607c6286da9d7958791b4ac82bc2c9b63a61a1a162f922fbb229a571903781cfc5a7c785d916b2c77602f255ae91061728a0f8dc026ddabaf7

Download Submit
\Windows\system\spoolsv.exe

Filesize
842KB

MD5
7b814d5460c39b1deca2cfbeeed832ce

SHA1
40959796f3860c8174f199ce88736d7dc09835bb

SHA256
2c7d9f57ffb9f5295c69472bfda3a3b76d44a8a9626e6cababfe2df31f124ad4

SHA512
4456cd6cedd3c39ad69b62e420c74b4f99207bc8b2618860d32c489f4e3cfe21f7102bd931b530c3cf0847e82da4f6347544f4f259a9e3c6a82216375329904d

Download Submit
\Windows\system\spoolsv.exe

Filesize
638KB

MD5
31ad004e92c4c9c8974484dc04b8608f

SHA1
1904cef7eb852dfd11902b4d2c6978568cfc565c

SHA256
3615645acc9c3b36469575afc9752ae7b50a69069c8e30b6223e35e6e42657e3

SHA512
fa1a74bd3136f57eaee6e895842020166cfacbd162accd3d426124118f4a3d6160a382ca03a7e824ec6a5f1b9f6572792faab9fbaf7305184b0ecf55f961b837

Download Submit
\Windows\system\spoolsv.exe

Filesize
674KB

MD5
4e818a324ba524f42da4a78ed6603ad3

SHA1
ce11725413306df128a979a0f71a0148de97f247

SHA256
527d344f2c68d066df25c999db1afb1f92e9f7b8879fa25ed17638bc1c86062c

SHA512
09b3bc0d02add3edaaaddcbc47bf02053418013373724111622bce349dd5a162399740783cc19b1e08a3106d52c4c24f411e850b4950477f60833f796f95e68f

Download Submit
\Windows\system\spoolsv.exe

Filesize
405KB

MD5
98f7c305747e90160390cbecd604fbc6

SHA1
c3d7524694380af439ada171d873cd05946fca7a

SHA256
088bc23fe882d58d7ab5da35f31b98b1a5ca96e6b9e0a52c01ca1b76768f90ed

SHA512
cc51749e6f68540a594f669a3323cdc4d44b655d366c0893acde16e4aaeb34e1a1696727d94fcbf6f03dffd04196fa9a81e5901eca02d9f409c383829f001b55

Download Submit
\Windows\system\spoolsv.exe

Filesize
576KB

MD5
763c449c42a57a5d86866a209544abaa

SHA1
85a36072db4f374edbc367396fd8181e67bd0c37

SHA256
b36002a0e31bd16477f8ee5c697392b726580647f484fa629fc82aec058e0703

SHA512
d8d4f28c47fc03797df267ce0ce5d97a3adfd0c2726224cc2adafda1953c5281af5e0cd03527edcd7a332c41233295072ddc025e2a16494643d0d09fb6ba49e2

Download Submit
\Windows\system\spoolsv.exe

Filesize
351KB

MD5
6fd3c0b08d1acfe14e077161e9110a76

SHA1
d5f4e50c4e2a17c3a61259ded096b1f4593a4916

SHA256
7b7ea286786eebe05f0de249ed50afb92872479fa6309626b5c94ca5dde79c0c

SHA512
a0b0bd1ad1e1893040bb849b089aa2826ab5d63d3dabf33e13cf0dfb4454dfb3fa0d50d686048d55b8f23f7bcdab660745cefaf52c2fac32b2d389f706dc0d24

Download Submit
\Windows\system\spoolsv.exe

Filesize
136KB

MD5
cdec8bf4c9aeedf2ee653c44d2aa3e32

SHA1
eb6bb77cfdb5a7d125301961f0eb232707649e49

SHA256
2dcf0412134afdfbfd268e8f2ea4fcbe03bc735ccdac9d7353f9ff6ebbff7942

SHA512
14a2c939ff7d105c19ebda72bb0bcad6dea192051c400c37e3d429b2aa8274c0b81b635def733fea4497e9caa6f0eb1ddecfe9e16adf99547ca67cac9cd54835

Download Submit
\Windows\system\spoolsv.exe

Filesize
99KB

MD5
a5ea319ef133ea952330d54aed825882

SHA1
b4e25ce1481ac255762afc060472c21090266e93

SHA256
5d8649daeca7c0601d251cc18dbaecb7e5ae0401b7083399e11051fa6ff15916

SHA512
235c6bfcfe5fe93bd18584a3eb115aae9853f03249b8978231bad28fdc987f211a9640ca85fe307dbb27d94a00b026cf534407885547ede4be5ee1bc771936e7

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.1MB

MD5
5bdfb14333d3594b47408fc1f0163641

SHA1
4a3606c0d32eb4176a6e783d1bcc44118810b3b8

SHA256
a782b05d1418cb5a66906ce797d1e021ad60f97b7c24d8ae65478cc3c52ca135

SHA512
05bea4fdd1f7ea5aa36768762faef511dcc5ee85929559d23f8fdeeced44656d69f5528206776f6df690652f68290e6819cff67063f71081f85f2af50a7859d5

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.0MB

MD5
01a9199c4d52ae4466b7ee9b4c6bf889

SHA1
41423ed039672389dd8141289cbbd7cc0afd7437

SHA256
52fe8d216ec6fd50bf3f593b53474ce1874f78cc663488e167a288d232a8ebc0

SHA512
ce15a530a66d5ff9115aa5b9e6ea92a9933080ef0eca19d1588c8934a28ef36e89474eadb6639fea1de46d55f9d54edb5a82026eb0412415f806c4a955e06d40

Download Submit
\Windows\system\spoolsv.exe

Filesize
952KB

MD5
d6efbbeea777b83c6e16bda338bc8b14

SHA1
8a76dafa6f78a0a3f0d05818b561bb49d8eacef8

SHA256
9c37138626bb6742126bfd4a6f83498b3a127679a96836d6891a168bb9441f2b

SHA512
e656ea8d620df4b384ebc25278f4f6e886919954adfa0910544d6389eaa6a2c782161de480900b3cb53fd4c26dc58639bbf24a6233a6682b7bc45862166d295c

Download Submit
memory/2364-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2364-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2364-29-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-43-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-72-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-62-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2988-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download