pony | 42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe
Size

513KB
MD5

8a74c1af5c133e0b74afd23d1d16558c
SHA1

ae685b826bd5f7c231f8d9ee7c94c48eac7fe30b
SHA256

42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726
SHA512

2a94764784193586444dbd16fb7b8c81f8418d002538c0fb87080abd10188131ba6eff4798846f4b58172a9ce9f0c527dd6bb6fbaa445825e1e4708c0616917f
SSDEEP

6144:WTfFDbRnOTrA24QS575Xvk6VBiHQLO8IUeErP+k9IMXgXNZ4iIFgRpctuD1MTRAr:U5O74T7RvkQit8jrgBZrMwyTRAZG4av6

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://orangefornowsee.webatu.com/yt/gate.php

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
2116	novDof.exe

Loads dropped DLL 1 IoCs

pid	Process
2572	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2108	2116	novDof.exe	32
PID 2108 set thread context of 2816	2108	svchost.exe	38
PID 2108 set thread context of 2944	2108	svchost.exe	39
PID 2108 set thread context of 1668	2108	svchost.exe	40

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-24-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2108-32-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2108-29-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2108-26-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2108-33-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2108-36-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2816-57-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2816-54-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2816-52-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2816-58-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2816-59-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2108-81-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	novDof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2116	novDof.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2816	svchost.exe
Token: SeTcbPrivilege	2816	svchost.exe
Token: SeChangeNotifyPrivilege	2816	svchost.exe
Token: SeCreateTokenPrivilege	2816	svchost.exe
Token: SeBackupPrivilege	2816	svchost.exe
Token: SeRestorePrivilege	2816	svchost.exe
Token: SeIncreaseQuotaPrivilege	2816	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2816	svchost.exe
Token: SeImpersonatePrivilege	2944	svchost.exe
Token: SeTcbPrivilege	2944	svchost.exe
Token: SeChangeNotifyPrivilege	2944	svchost.exe
Token: SeCreateTokenPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeIncreaseQuotaPrivilege	2944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2944	svchost.exe
Token: SeImpersonatePrivilege	2944	svchost.exe
Token: SeTcbPrivilege	2944	svchost.exe
Token: SeChangeNotifyPrivilege	2944	svchost.exe
Token: SeCreateTokenPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeIncreaseQuotaPrivilege	2944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2944	svchost.exe
Token: SeImpersonatePrivilege	2944	svchost.exe
Token: SeTcbPrivilege	2944	svchost.exe
Token: SeChangeNotifyPrivilege	2944	svchost.exe
Token: SeCreateTokenPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeIncreaseQuotaPrivilege	2944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2944	svchost.exe
Token: SeImpersonatePrivilege	2944	svchost.exe
Token: SeTcbPrivilege	2944	svchost.exe
Token: SeChangeNotifyPrivilege	2944	svchost.exe
Token: SeCreateTokenPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeIncreaseQuotaPrivilege	2944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2944	svchost.exe
Token: SeImpersonatePrivilege	1668	svchost.exe
Token: SeTcbPrivilege	1668	svchost.exe
Token: SeChangeNotifyPrivilege	1668	svchost.exe
Token: SeCreateTokenPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeImpersonatePrivilege	1668	svchost.exe
Token: SeTcbPrivilege	1668	svchost.exe
Token: SeChangeNotifyPrivilege	1668	svchost.exe
Token: SeCreateTokenPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeImpersonatePrivilege	1668	svchost.exe
Token: SeTcbPrivilege	1668	svchost.exe
Token: SeChangeNotifyPrivilege	1668	svchost.exe
Token: SeCreateTokenPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2116	2572	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe	31
PID 2572 wrote to memory of 2116	2572	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe	31
PID 2572 wrote to memory of 2116	2572	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe	31
PID 2572 wrote to memory of 2116	2572	42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe	31
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2116 wrote to memory of 2108	2116	novDof.exe	32
PID 2108 wrote to memory of 2788	2108	svchost.exe	34
PID 2108 wrote to memory of 2788	2108	svchost.exe	34
PID 2108 wrote to memory of 2788	2108	svchost.exe	34
PID 2108 wrote to memory of 2788	2108	svchost.exe	34
PID 2108 wrote to memory of 2864	2108	svchost.exe	35
PID 2108 wrote to memory of 2864	2108	svchost.exe	35
PID 2108 wrote to memory of 2864	2108	svchost.exe	35
PID 2108 wrote to memory of 2864	2108	svchost.exe	35
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2816	2108	svchost.exe	38
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 2944	2108	svchost.exe	39
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40
PID 2108 wrote to memory of 1668	2108	svchost.exe	40

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe
"C:\Users\Admin\AppData\Local\Temp\42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe" "BWniac"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn WindowsUpdatebwniac0x8429524
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn WindowsUpdatebwniac0x8429525 /tr "C:\ProgramData\bwniac\Project1.exe" /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2864
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_win_path
      PID:2816
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {18BF0756-3853-4E26-BE3E-A9FCA882F336} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BWniac

Filesize
6KB

MD5
a39356dc7d53aa9a8b37b0939d4ea5a8

SHA1
304e0f38b90adbfe697407ed060c9f0b193c9d82

SHA256
d1ffe8f52182ea1a9c2ea36d8086ed5bd8c423a379e55f1ad7bae61a55f04d98

SHA512
b63a0725de90a19b752aebf4136016b52fd491d17a51f0a3b1d3c9cd439fa030175f30d131a5ca1c7b0156449799a3099145562e465842880ed3a6fb3dfc7fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clYtxv.exe

Filesize
102KB

MD5
f87405eee448fca26cba20181bc9c523

SHA1
3fb4894309fd1b04dd430266fce782f7cd76c4a8

SHA256
590c1fc55cd045047bcc8710f7bd73d2c0f8034c5fa70837058f111a2079991d

SHA512
4b4164e25d8ab16e4dd84f217431ee3057a0a3b5581843eb1e7135b168f362ed31174bd1737ecf7ad58b829baa07dfa7a8310a030e08508903d134eddc0214ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oEGOMy.txt

Filesize
231KB

MD5
3f1471b60d578c33686f3b0f21f44345

SHA1
85b1cc86e86092f47f70847fa780090bb1f7c352

SHA256
51a6dd04aebbd6a929419ae9ac1371f34255b8825a97d14a1a3208de6873b64f

SHA512
cfec7a78e5565b4cf6c869bda230a99c829921d1d8a56e7a2a2c53786360124dbd86162c6d76310550850cf9770f05ff6bc81c2640501940b30f91ce90f104e6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe

Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
memory/1668-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-33-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-29-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-36-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2572-70-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2816-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2816-59-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2816-50-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2816-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2816-52-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2816-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download