pony | 17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
567s
max time network
360s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
Size

559KB
MD5

535494aa6ce3ccef7346b548da5061a9
SHA1

2c0b5637701c83b7b2aeabdf3120a89db1dbaad7
SHA256

edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5
SHA512

f02464b3563b4552246b86e2c6ec377b8b0734576647bbc69ca8f4dd775d59f54ffbf3dd7f6433990ec187f1116891426f0e70a7524c9b793df9bc78e087f6dc
SSDEEP

12288:ZVJ/hB+eGkeURqNvA0msxNxgnr/V4ZhiKjUkE6PofKhs:R/r47iKjUBIs

Score

10^/10

pony collection credential_access discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://startwavenow.com/gate.php

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

st.exe

pid process

2916 st.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2916	st.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

st.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	st.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

st.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	st.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js argument"	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

st.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	st.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

st.exe

description	pid	process
Token: 33	2916	st.exe
Token: SeIncBasePriorityPrivilege	2916	st.exe
Token: SeImpersonatePrivilege	2916	st.exe
Token: SeTcbPrivilege	2916	st.exe
Token: SeChangeNotifyPrivilege	2916	st.exe
Token: SeCreateTokenPrivilege	2916	st.exe
Token: SeBackupPrivilege	2916	st.exe
Token: SeRestorePrivilege	2916	st.exe
Token: SeIncreaseQuotaPrivilege	2916	st.exe
Token: SeAssignPrimaryTokenPrivilege	2916	st.exe
Token: SeImpersonatePrivilege	2916	st.exe
Token: SeTcbPrivilege	2916	st.exe
Token: SeChangeNotifyPrivilege	2916	st.exe
Token: SeCreateTokenPrivilege	2916	st.exe
Token: SeBackupPrivilege	2916	st.exe
Token: SeRestorePrivilege	2916	st.exe
Token: SeIncreaseQuotaPrivilege	2916	st.exe
Token: SeAssignPrimaryTokenPrivilege	2916	st.exe
Token: SeImpersonatePrivilege	2916	st.exe
Token: SeTcbPrivilege	2916	st.exe
Token: SeChangeNotifyPrivilege	2916	st.exe
Token: SeCreateTokenPrivilege	2916	st.exe
Token: SeBackupPrivilege	2916	st.exe
Token: SeRestorePrivilege	2916	st.exe
Token: SeIncreaseQuotaPrivilege	2916	st.exe
Token: SeAssignPrimaryTokenPrivilege	2916	st.exe
Token: SeImpersonatePrivilege	2916	st.exe
Token: SeTcbPrivilege	2916	st.exe
Token: SeChangeNotifyPrivilege	2916	st.exe
Token: SeCreateTokenPrivilege	2916	st.exe
Token: SeBackupPrivilege	2916	st.exe
Token: SeRestorePrivilege	2916	st.exe
Token: SeIncreaseQuotaPrivilege	2916	st.exe
Token: SeAssignPrimaryTokenPrivilege	2916	st.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

wordpad.exe

pid process

2008 wordpad.exe
2008 wordpad.exe
2008 wordpad.exe
2008 wordpad.exe
2008 wordpad.exe

pid	process
2008	wordpad.exe
2008	wordpad.exe
2008	wordpad.exe
2008	wordpad.exe
2008	wordpad.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2652 wrote to memory of 2008	2652	wscript.exe	wordpad.exe
PID 2652 wrote to memory of 2008	2652	wscript.exe	wordpad.exe
PID 2652 wrote to memory of 2008	2652	wscript.exe	wordpad.exe
PID 2652 wrote to memory of 2916	2652	wscript.exe	st.exe
PID 2652 wrote to memory of 2916	2652	wscript.exe	st.exe
PID 2652 wrote to memory of 2916	2652	wscript.exe	st.exe
PID 2652 wrote to memory of 2916	2652	wscript.exe	st.exe

outlook_win_path 1 IoCs

Processes:

st.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	st.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe" "C:\Users\Admin\Documents\doc_attached_4QAyw"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Users\Admin\Documents\st.exe
  "C:\Users\Admin\Documents\st.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\doc_attached_4QAyw

Filesize
12KB

MD5
a1fa80f75ad4003549d27fc726e40b14

SHA1
5fda8ead11d5bdcc51c29f9eb72aed29f2065d31

SHA256
37ab62998175d3dc70763e2fcbfe1e5b38660ae59a1c21c0306f2470ea487364

SHA512
34817bda5cbcb2e0a909d8652b2b82c3471696f4e4d533e8a1e3583811a60aa0365e4ceabd3d2ded506a577decf907bc6bead917ffef1317e758ea2f82c1c554

Download Submit
C:\Users\Admin\Documents\st.exe

Filesize
135KB

MD5
39c27aec900d0613e02b78df2333657c

SHA1
822bf6d0eb04df65c072b51100c5c852761e7c9e

SHA256
dabee7680e09565154e7807c1ed362838ad6ee4e373ee97069e3b33db1ec10f7

SHA512
316497a6973ea6c7883b3112b1d5a7f042f654f807ac8b2919e42719f384469cc5d7d39112982bee0d18900ee6f76dd00664d206f5f13d6448dd27a3c84c1880

Download Submit
memory/2008-2-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2008-3-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2916-10-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2916-9-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2916-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2916-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2916-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download