pony | 6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113

Analysis

max time kernel
55s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113.doc
Size

222KB
MD5

1a9d520dd9a594a0e27bd75e0bed8fd6
SHA1

a55f6eb53742665288bb6691e686ff98771f8b84
SHA256

6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113
SHA512

def5c37116a35172b8f786ad31f2b9f0523d93e7897805a3674d98c92cca7205bb94a5682aa3b6f5bed6e76d0a8584221db1b536bba5140764411b6aac83384f
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://fouseevenghedt.ru/gate.php

http://biledroben.ru/gate.php

http://rohironrof.ru/gate.php

Attributes

payload_url
http://eloraestate.com/wp-content/plugins/prism-highlight/opera1.exe

http://edmontonlimo247.com/wp-content/plugins/prism-highlight/opera1.exe

http://dgfcomercial.com.br/wp-content/plugins/prism-highlight/opera1.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
2680	8tr.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	8tr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	8tr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-90-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2680-96-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8tr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2780	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	8tr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2680	8tr.exe
Token: SeTcbPrivilege	2680	8tr.exe
Token: SeChangeNotifyPrivilege	2680	8tr.exe
Token: SeCreateTokenPrivilege	2680	8tr.exe
Token: SeBackupPrivilege	2680	8tr.exe
Token: SeRestorePrivilege	2680	8tr.exe
Token: SeIncreaseQuotaPrivilege	2680	8tr.exe
Token: SeAssignPrimaryTokenPrivilege	2680	8tr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2780	WINWORD.EXE
2780	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2888	2780	WINWORD.EXE	30
PID 2780 wrote to memory of 2888	2780	WINWORD.EXE	30
PID 2780 wrote to memory of 2888	2780	WINWORD.EXE	30
PID 2780 wrote to memory of 2888	2780	WINWORD.EXE	30
PID 2780 wrote to memory of 2680	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2680	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2680	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2680	2780	WINWORD.EXE	32
PID 2680 wrote to memory of 3000	2680	8tr.exe	33
PID 2680 wrote to memory of 3000	2680	8tr.exe	33
PID 2680 wrote to memory of 3000	2680	8tr.exe	33
PID 2680 wrote to memory of 3000	2680	8tr.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	8tr.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	8tr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\8tr.exe
  C:\Users\Admin\AppData\Local\Temp\8tr.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D5CC675.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tr.exe

Filesize
178KB

MD5
c028f68109fd975e9aed790087fe1457

SHA1
8086b95ae4f58529e2941aa4c532d8c584af1024

SHA256
5c05db8164a6d51dd483cbe8eddb1d0c21aecf432ef75f5dc5a0a2fc0b711657

SHA512
d22c6fe16c97890866f12ca1c7ab98d6242f997e3b84a2ced243830079693d7896f9bf7374a4c54e6d4155fa838b91064794918e5840805f58c72e619a54da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
802KB

MD5
8e9461a5a3ce92b30219e9ad150ca964

SHA1
4adc7af24675b72a3e0a34da0d55546b75fe7fae

SHA256
900ac8c53cba3c46bca12e6166eb73dfb3722f349239f9a043bf7e1f37d5c384

SHA512
d08f47c1d6c71ad8febc4810961501e3c1b35a4aab5eb896c4a46d6cee8cf31d58e122100bc6bfc760c08aaad596acab678ec5ac2af725d11ba75d4a76ad2884

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
802KB

MD5
9594bef1fea58016eb6e3b14bb8309b3

SHA1
63e5ebd9adb24c1094f8629bc3d75e01b95554be

SHA256
94854f703802d7650a65b9c661cae908a30ea82623768b6a5fc08347450c6780

SHA512
a6ab85c96734da89aefc48aca7e3aa95a080223d99662f2e8e681431dd8b7dc1361664d02f53c9777c524e9a732c51fd1e185e045e17c583f89cc4e4073ae35b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
db851313312547e2c81454b75f5268df

SHA1
4942a3f3b3938a6e0ba604699174bdca245d6a44

SHA256
270e028f9a01decae30be58dfa4eae61f20ff42afa035710d24c3e122c487a24

SHA512
6d64a5de2dde9e8a9828eba6ae24c4b8ddbbeb73dbfb9602ac21d426260bc149b2220b0a8ef8c6bd6cd0a803878e5a993ab3d9f97f3d9eaafddf3372c8ee62d0

Download Submit
memory/2680-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2680-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2764-94-0x000000007380D000-0x0000000073818000-memory.dmp

Filesize
44KB

Download
memory/2764-73-0x000000002F0A1000-0x000000002F0A2000-memory.dmp

Filesize
4KB

Download
memory/2764-75-0x000000007380D000-0x0000000073818000-memory.dmp

Filesize
44KB

Download
memory/2764-118-0x000000007380D000-0x0000000073818000-memory.dmp

Filesize
44KB

Download
memory/2764-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2780-43-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-85-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-42-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-86-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-84-0x000000007380D000-0x0000000073818000-memory.dmp

Filesize
44KB

Download
memory/2780-93-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-0-0x000000002F0A1000-0x000000002F0A2000-memory.dmp

Filesize
4KB

Download
memory/2780-95-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-2-0x000000007380D000-0x0000000073818000-memory.dmp

Filesize
44KB

Download
memory/2780-81-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download
memory/2780-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2780-54-0x0000000005E70000-0x0000000005F70000-memory.dmp

Filesize
1024KB

Download