pony | 1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2

Analysis

max time kernel
58s
max time network
21s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2.doc
Size

222KB
MD5

202fe901eec6ef893f5f8d86528e5d54
SHA1

1ded84a8c931c682d21fbc3c5802eff21e336f0e
SHA256

1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2
SHA512

13f64d4af37a5f19526384113a587c690fea24fb05307c15a81125ff5b34c05b08eb27b88f67fcde470c3ebfa172f95f817f5c73252744bc81932496380c88b1
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://fouseevenghedt.ru/gate.php

http://biledroben.ru/gate.php

http://rohironrof.ru/gate.php

Attributes

payload_url
http://eloraestate.com/wp-content/plugins/prism-highlight/opera1.exe

http://edmontonlimo247.com/wp-content/plugins/prism-highlight/opera1.exe

http://dgfcomercial.com.br/wp-content/plugins/prism-highlight/opera1.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
1444	8tr.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	8tr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1444-93-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1444-98-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8tr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2076	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1444	8tr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1444	8tr.exe
Token: SeTcbPrivilege	1444	8tr.exe
Token: SeChangeNotifyPrivilege	1444	8tr.exe
Token: SeCreateTokenPrivilege	1444	8tr.exe
Token: SeBackupPrivilege	1444	8tr.exe
Token: SeRestorePrivilege	1444	8tr.exe
Token: SeIncreaseQuotaPrivilege	1444	8tr.exe
Token: SeAssignPrimaryTokenPrivilege	1444	8tr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2076	WINWORD.EXE
2076	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2940	2076	WINWORD.EXE	30
PID 2076 wrote to memory of 2940	2076	WINWORD.EXE	30
PID 2076 wrote to memory of 2940	2076	WINWORD.EXE	30
PID 2076 wrote to memory of 2940	2076	WINWORD.EXE	30
PID 2076 wrote to memory of 1444	2076	WINWORD.EXE	32
PID 2076 wrote to memory of 1444	2076	WINWORD.EXE	32
PID 2076 wrote to memory of 1444	2076	WINWORD.EXE	32
PID 2076 wrote to memory of 1444	2076	WINWORD.EXE	32
PID 1444 wrote to memory of 1104	1444	8tr.exe	33
PID 1444 wrote to memory of 1104	1444	8tr.exe	33
PID 1444 wrote to memory of 1104	1444	8tr.exe	33
PID 1444 wrote to memory of 1104	1444	8tr.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\8tr.exe
  C:\Users\Admin\AppData\Local\Temp\8tr.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78CD1A1F.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
802KB

MD5
001bee5c1bcb9a7512248e7a7eed6e17

SHA1
b007a07a27178b712b73616136a80da89963e216

SHA256
426c7c0f45b72d648fd956724c661b1c61e6948a5ea631fcafadc2526cc59d6d

SHA512
d755731490b9d6b8d1747de1b3fba29840588003fd4c25baaa414ccf1178ebf4b7515a8b96f18196ec0da28129080e0a9ac3901729fabe3a4f68e249050c3703

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
802KB

MD5
6e15da8ed20eddb7e4a2fdecba6b8dac

SHA1
b9300634c4c4fe17e1faccc04086ef7140eba533

SHA256
7bc2941c7e3de1c6aae780f05b9a542b0e2150116cdee2c329c2991983841b58

SHA512
5a789a7ef9597c553cd663a47fca084c2d9bc2992c74f6dbf0707750235ba38f9e42d8f30666269529d401545a192e5d4444d6a40a0700d190ced4f76c5a2af5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
eca36645a13cc72edffc07e75d33a5b1

SHA1
eecaa55430a29b10afbaf88769f5102370452de5

SHA256
2e69414431b2928a9d3b69cd91bc494b9d9b1e6dd2d0d89c02c9415b2e1380bf

SHA512
64240f296f811158c3dafe418fa10f0a901f67a13e95b40320b99a176aa64fcb3c89c896051f94b1cc0cf279e5c31ca6ca4b0f509467a37b78cb20e67dee808d

Download Submit
\Users\Admin\AppData\Local\Temp\8tr.exe

Filesize
178KB

MD5
c028f68109fd975e9aed790087fe1457

SHA1
8086b95ae4f58529e2941aa4c532d8c584af1024

SHA256
5c05db8164a6d51dd483cbe8eddb1d0c21aecf432ef75f5dc5a0a2fc0b711657

SHA512
d22c6fe16c97890866f12ca1c7ab98d6242f997e3b84a2ced243830079693d7896f9bf7374a4c54e6d4155fa838b91064794918e5840805f58c72e619a54da02

Download Submit
memory/1444-98-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1444-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2076-11-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-39-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-42-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-40-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-7-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-37-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-36-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-35-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-32-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-31-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-30-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-29-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-27-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-26-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-25-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-23-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-22-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-21-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-20-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-19-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-18-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-17-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-16-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-15-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-13-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2076-10-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-9-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2076-43-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-6-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-5-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-41-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-53-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-44-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-67-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-69-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-70-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-73-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-72-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-71-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-68-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-38-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-8-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-99-0x0000000005680000-0x0000000005780000-memory.dmp

Filesize
1024KB

Download
memory/2076-24-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-84-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-85-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-83-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2076-86-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-89-0x0000000005680000-0x0000000005780000-memory.dmp

Filesize
1024KB

Download
memory/2076-12-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-4-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-96-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2076-2-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2204-97-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2204-77-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2204-75-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2204-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-121-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download