pony | 3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93

General

Target

3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Size

2.2MB
MD5

e7595e9d40c33273c78cf56223eadb6e
SHA1

a5ae2b361bc54587690980c5355c80861c36a7f4
SHA256

3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93
SHA512

cf63fa995f07a2d65d2ac5a741305193705f84510921326b5c652aecc1cb29e4830609544d1eab3fca95e5fdfa181a253a39d4a027846f0f06ed2ba8974ccdab
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZQ:0UzeyQMS4DqodCnoe+iitjWwwM

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Executes dropped EXE 3 IoCs

pid	Process
4016	explorer.exe
1836	explorer.exe
4416	spoolsv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 4016 set thread context of 1836	4016	explorer.exe	103

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
1836	explorer.exe
1836	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2624	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	89
PID 2148 wrote to memory of 2624	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	89
PID 2148 wrote to memory of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 2148 wrote to memory of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 2148 wrote to memory of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 2148 wrote to memory of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 2148 wrote to memory of 2308	2148	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	99
PID 2308 wrote to memory of 4016	2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	101
PID 2308 wrote to memory of 4016	2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	101
PID 2308 wrote to memory of 4016	2308	3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe	101
PID 4016 wrote to memory of 1836	4016	explorer.exe	103
PID 4016 wrote to memory of 1836	4016	explorer.exe	103
PID 4016 wrote to memory of 1836	4016	explorer.exe	103
PID 4016 wrote to memory of 1836	4016	explorer.exe	103
PID 4016 wrote to memory of 1836	4016	explorer.exe	103
PID 1836 wrote to memory of 4416	1836	explorer.exe	104
PID 1836 wrote to memory of 4416	1836	explorer.exe	104
PID 1836 wrote to memory of 4416	1836	explorer.exe	104

C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
"C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe
  "C:\Users\Admin\AppData\Local\Temp\3efcdcc94df4df7e91f9af6dd4bfe64a8a40f832df1381ab1edacfdb242e7c93.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
07b4380a17a9d6ce0cc259734dd74820

SHA1
8d7deb59b1923454ee0909cd62b55668b020e3ea

SHA256
cbee0daef1b4c21620d45cee6676953d0de6156cb7a4b52456d09f3b381f76b5

SHA512
b49b5717c75c2649ceb475b5b12cf34540ed0f5d1da0230fe647dea714a96bf21f8aecdbc5ff84890041d0cc0d6c5021ea81ba6579f79263b4e98c3594ace597

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
7676c61378134016cbb674ccd45aa467

SHA1
92b396329f02f3a0a03aefdf774d135d061bd561

SHA256
6b26fc558e5d4f486fccb52b496b779b9c6d71896ed2ff634401b53807d4ddef

SHA512
5e5f0fa3d313a0e8f683aa8138b5367ceaa63e9f49abce4e48bebe27e3b40f63ef829085971625465651c668013d55ae935f21679204d8fade5a770494d49e08

Download Submit
memory/1836-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2148-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2148-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2148-22-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2308-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-67-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2308-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-75-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4016-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing