pony | 588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4

General

Target

588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
Size

2.2MB
MD5

527dd6b6beb8fc15088e62e7b3eb5104
SHA1

858a37a7db7ed9dca2e99a41963de7d843f952f0
SHA256

588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4
SHA512

c0e3e30c44697a3be83ef4a723411506a2bad60496f38b396087327a1cd7fccb5d2f06e678ebb65dfc30622638b431b1a0a59b6c8a18106363fc134dbdce0a4a
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZI:0UzeyQMS4DqodCnoe+iitjWwwM

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe

Executes dropped EXE 3 IoCs

pid	Process
2520	explorer.exe
404	explorer.exe
3040	spoolsv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 2520 set thread context of 404	2520	explorer.exe	95

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
File opened for modification	\??\c:\windows\system\explorer.exe	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
404	explorer.exe
404	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4820	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	82
PID 4404 wrote to memory of 4820	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	82
PID 4404 wrote to memory of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 4404 wrote to memory of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 4404 wrote to memory of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 4404 wrote to memory of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 4404 wrote to memory of 1056	4404	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	91
PID 1056 wrote to memory of 2520	1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	92
PID 1056 wrote to memory of 2520	1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	92
PID 1056 wrote to memory of 2520	1056	588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe	92
PID 2520 wrote to memory of 404	2520	explorer.exe	95
PID 2520 wrote to memory of 404	2520	explorer.exe	95
PID 2520 wrote to memory of 404	2520	explorer.exe	95
PID 2520 wrote to memory of 404	2520	explorer.exe	95
PID 2520 wrote to memory of 404	2520	explorer.exe	95
PID 404 wrote to memory of 3040	404	explorer.exe	96
PID 404 wrote to memory of 3040	404	explorer.exe	96
PID 404 wrote to memory of 3040	404	explorer.exe	96

C:\Users\Admin\AppData\Local\Temp\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
"C:\Users\Admin\AppData\Local\Temp\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe
  "C:\Users\Admin\AppData\Local\Temp\588e064c804d34d01ef32057d370e6ead18ef5046d066a60ac780b1b2582c9f4.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1056
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
d648ad8fd48a56af1436d5e3374de3eb

SHA1
01d9f5a169bb90ca976bda42fd26732a94a0ea43

SHA256
614ecb206da32f7f4c0e2859fc308258ff23407e657462d557dcd46388a0d6a8

SHA512
696d4184a5abe392c18a91f9d4ce8a148ef1d28eae0984ff2df8d72c65bb9cda567d3d4e73a722383403f197a06aaad10a978531847ada7550533e73d62cd439

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
432d53ee2ae60fdcfbbe9e176a6a312b

SHA1
8a572925d9a7f08d83aeac6cb8fac2dcbf18e115

SHA256
2516759d7bdf07a64c33dac06bfa950b7eb27538bf22e8af05674269d19e71ab

SHA512
440e1295030d21a89869ebbb3a972a0a68027be84af9599253240ff598f32c7e1616e707a1d1c9ed9aac43cc35d909ad43b74c2c17cdb81e9578cd5fe118c06d

Download Submit
memory/404-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-99-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2520-105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4404-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4404-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4404-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4404-42-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing