pony | 685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac

Analysis

max time kernel
57s
max time network
58s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc
Size

250KB
MD5

5fd8c0a425255c3eb8972a3e2d5ad810
SHA1

fbc67cb81231a53bb9fef7b4c2e92d5c670b9625
SHA256

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac
SHA512

4acc1138e1b1c04bc20a35871d72c5838e0ca5af75b6e435fd6e304e3dd40ba0fa6a7a4b9ae96aec4318c6cb327f416b83bdf1c24b6a713dd4a2f2eb5da48720
SSDEEP

3072:1VIf+rqpDAoBxgfWsopbVTd5E8SNolOW1NN2e08CeVA4Rjt:1VIfEMDAoBxHpZ08SEjtZ

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://beheutsi.ru/gate.php

http://fievenghapun.ru/gate.php

http://juskinsandfo.ru/gate.php

Attributes

payload_url
http://gourmet.pergaz.com/media/system/host.exe

http://yeebay.co/media/system/host.exe

http://hungphatea.com.au/media/system/host.exe

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
1620	pm1.exe

Loads dropped DLL 1 IoCs

pid	Process
2652	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	pm1.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	pm1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pm1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pm1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pm1.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2652	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1620	pm1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1620	pm1.exe
Token: SeTcbPrivilege	1620	pm1.exe
Token: SeChangeNotifyPrivilege	1620	pm1.exe
Token: SeCreateTokenPrivilege	1620	pm1.exe
Token: SeBackupPrivilege	1620	pm1.exe
Token: SeRestorePrivilege	1620	pm1.exe
Token: SeIncreaseQuotaPrivilege	1620	pm1.exe
Token: SeAssignPrimaryTokenPrivilege	1620	pm1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2652	WINWORD.EXE
2652	WINWORD.EXE
2140	WINWORD.EXE
2140	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2580	2652	WINWORD.EXE	30
PID 2652 wrote to memory of 2580	2652	WINWORD.EXE	30
PID 2652 wrote to memory of 2580	2652	WINWORD.EXE	30
PID 2652 wrote to memory of 2580	2652	WINWORD.EXE	30
PID 2652 wrote to memory of 1620	2652	WINWORD.EXE	32
PID 2652 wrote to memory of 1620	2652	WINWORD.EXE	32
PID 2652 wrote to memory of 1620	2652	WINWORD.EXE	32
PID 2652 wrote to memory of 1620	2652	WINWORD.EXE	32
PID 1620 wrote to memory of 1724	1620	pm1.exe	33
PID 1620 wrote to memory of 1724	1620	pm1.exe	33
PID 1620 wrote to memory of 1724	1620	pm1.exe	33
PID 1620 wrote to memory of 1724	1620	pm1.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pm1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pm1.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\pm1.exe
  C:\Users\Admin\AppData\Local\Temp\pm1.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F164DDAE.emf

Filesize
5KB

MD5
b723ca9637677e7803c126c2e40154f3

SHA1
d99104c8c5445c85601f2215e3ee006506bbf982

SHA256
036064e258892f1692a42304d504d8c1de9f3396462d6974a855571ffe598d01

SHA512
71695eee3390e2ebd27873eb3639cd3faa7c4f8c0e42e347e7f7c67acf113cd128e24049bf42902d3c049925bac4ab9cf9aabc445483579ba9b30587068a582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\322.rtf

Filesize
859KB

MD5
c169b8d3a7f235b0a992807ff15f33a1

SHA1
f0889c978c71159a2eb92072015d5597feedea55

SHA256
cd1ffb5172f0affee4c833725d4e464d90d09ad4ceb91324dac2d807b63b7392

SHA512
e1b6994aa898ffb08b7f9d4b7010c4adee8d08b348a1094058f3e6d4308a386bb07197674725ef379b8b8745513ef29ce5117ce0aaa8eac133ce625994ab3058

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm1.exe

Filesize
207KB

MD5
b198efe59d67728c7d0a339a7490222c

SHA1
b0c27b220d32f2e94d75c0074835a8345f81b725

SHA256
2b75705c538a522faafb6a19c57327ceeadbab0b29fcd02a417d392a4e849ba4

SHA512
40f6505e740f5d23e3efb4220899dfddf0f6c1e97d571f3f2fd50543951645e45121c91fb30a44c5f11bc43df454ad73c646de9b74d245425cd195e55fa2074c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
859KB

MD5
943d215b6809e19bcc1f19dd00220c7f

SHA1
82324a7edef444ffcb0ffb7b3ec3a493d9f1ddfd

SHA256
77750372b46d513692bb88d2f12367f9cb439f2d2bff278cda733918fef5b999

SHA512
08abbde0d2e34b7ae136497b820ea3a1df8faeb4c550ebc962f6c9213c9a89a973b39fa82997043e2c989cc25b419139681a0990984ff91e12f2e94e7df400c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
24f05e632486a9e570a237f55ce7da24

SHA1
e2719f96a35efbb686901c4ba947feba00be8117

SHA256
ad137d3aa050a4edf5fe4b3595d7f9129700bfff4a675980ce1841ada52f8408

SHA512
067106529c89ab695fab98441d1a92178ce0eb7d85de1f9da53e14be95ce4f898606be60ff4a8d2ee4877105bf6eccc5d143864d2819b01d61de95a19e06eb1f

Download Submit
memory/1620-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-100-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2140-126-0x0000000070AFD000-0x0000000070B08000-memory.dmp

Filesize
44KB

Download
memory/2140-123-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2140-103-0x0000000070AFD000-0x0000000070B08000-memory.dmp

Filesize
44KB

Download
memory/2140-81-0x0000000070AFD000-0x0000000070B08000-memory.dmp

Filesize
44KB

Download
memory/2140-79-0x000000002F0B1000-0x000000002F0B2000-memory.dmp

Filesize
4KB

Download
memory/2652-32-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-25-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-7-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-6-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-5-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-4-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-20-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-19-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-9-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-10-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-56-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-48-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-47-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-46-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-44-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-43-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-42-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-41-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-40-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-39-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-38-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-37-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-36-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-35-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-34-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-33-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-0-0x000000002F0B1000-0x000000002F0B2000-memory.dmp

Filesize
4KB

Download
memory/2652-31-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-30-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-29-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-28-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-27-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-26-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-8-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-24-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-23-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-22-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-21-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-77-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-76-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-75-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-74-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-73-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-72-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-71-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-70-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-11-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-12-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-13-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-87-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-94-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-95-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-14-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-93-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-92-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-91-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-90-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-88-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-89-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-99-0x0000000070AFD000-0x0000000070B08000-memory.dmp

Filesize
44KB

Download
memory/2652-15-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-102-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-16-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-17-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-18-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2652-2-0x0000000070AFD000-0x0000000070B08000-memory.dmp

Filesize
44KB

Download
memory/2652-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download