pony | 685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc
Size

250KB
MD5

5fd8c0a425255c3eb8972a3e2d5ad810
SHA1

fbc67cb81231a53bb9fef7b4c2e92d5c670b9625
SHA256

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac
SHA512

4acc1138e1b1c04bc20a35871d72c5838e0ca5af75b6e435fd6e304e3dd40ba0fa6a7a4b9ae96aec4318c6cb327f416b83bdf1c24b6a713dd4a2f2eb5da48720
SSDEEP

3072:1VIf+rqpDAoBxgfWsopbVTd5E8SNolOW1NN2e08CeVA4Rjt:1VIfEMDAoBxHpZ08SEjtZ

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://beheutsi.ru/gate.php

http://fievenghapun.ru/gate.php

http://juskinsandfo.ru/gate.php

Attributes

payload_url
http://gourmet.pergaz.com/media/system/host.exe

http://yeebay.co/media/system/host.exe

http://hungphatea.com.au/media/system/host.exe

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
2828	pm1.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	pm1.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pm1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	pm1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pm1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	pm1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2828	pm1.exe
Token: SeTcbPrivilege	2828	pm1.exe
Token: SeChangeNotifyPrivilege	2828	pm1.exe
Token: SeCreateTokenPrivilege	2828	pm1.exe
Token: SeBackupPrivilege	2828	pm1.exe
Token: SeRestorePrivilege	2828	pm1.exe
Token: SeIncreaseQuotaPrivilege	2828	pm1.exe
Token: SeAssignPrimaryTokenPrivilege	2828	pm1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2080	WINWORD.EXE
2080	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2876	2080	WINWORD.EXE	31
PID 2080 wrote to memory of 2876	2080	WINWORD.EXE	31
PID 2080 wrote to memory of 2876	2080	WINWORD.EXE	31
PID 2080 wrote to memory of 2876	2080	WINWORD.EXE	31
PID 2080 wrote to memory of 2828	2080	WINWORD.EXE	33
PID 2080 wrote to memory of 2828	2080	WINWORD.EXE	33
PID 2080 wrote to memory of 2828	2080	WINWORD.EXE	33
PID 2080 wrote to memory of 2828	2080	WINWORD.EXE	33
PID 2828 wrote to memory of 2136	2828	pm1.exe	34
PID 2828 wrote to memory of 2136	2828	pm1.exe	34
PID 2828 wrote to memory of 2136	2828	pm1.exe	34
PID 2828 wrote to memory of 2136	2828	pm1.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pm1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pm1.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\pm1.exe
  C:\Users\Admin\AppData\Local\Temp\pm1.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71BF830F.emf

Filesize
5KB

MD5
b723ca9637677e7803c126c2e40154f3

SHA1
d99104c8c5445c85601f2215e3ee006506bbf982

SHA256
036064e258892f1692a42304d504d8c1de9f3396462d6974a855571ffe598d01

SHA512
71695eee3390e2ebd27873eb3639cd3faa7c4f8c0e42e347e7f7c67acf113cd128e24049bf42902d3c049925bac4ab9cf9aabc445483579ba9b30587068a582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\322.rtf

Filesize
859KB

MD5
d12214cdc4fbdfc7a506350b3fed81df

SHA1
6473e2d0ae7862cae7a2fd68d187251b5f118408

SHA256
beb8630ad4bcdc64a907729b6f4f014b6c7d52519b6e4cf9a1ab7357131d0740

SHA512
8a0286224271b6f41881546c450c9307b43da161d506ac3eba4006f72b09fc505cf9e49a5c10b6e1fb9ec7bc140b64359d84fdf7983ff5b2931f3a0d80f8b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm1.exe

Filesize
207KB

MD5
b198efe59d67728c7d0a339a7490222c

SHA1
b0c27b220d32f2e94d75c0074835a8345f81b725

SHA256
2b75705c538a522faafb6a19c57327ceeadbab0b29fcd02a417d392a4e849ba4

SHA512
40f6505e740f5d23e3efb4220899dfddf0f6c1e97d571f3f2fd50543951645e45121c91fb30a44c5f11bc43df454ad73c646de9b74d245425cd195e55fa2074c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
859KB

MD5
4ed29fa71a11a38389a58e424150b6b6

SHA1
3147eba23df948c3e7639c8f67d95bd582cf722a

SHA256
a888857a33a2b40aa2b438c5cf4b8add15a4f0a2464c93bc72261d065f15e410

SHA512
349d051fe5f1eb14ba179f48846040d97fcf787e51a0bbcf88bff0cb2e8659983f2b1c53f349c2b07c3c4362d74c0653ed15201460bea5687e53da5ef93ba823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d1d338a6c0889969fa4b0a4be5c6141e

SHA1
48bb67c8a72a62fd0572785fcf1c8a81ddf302ac

SHA256
ad25ccdce05c79dad4734f360c90efb7267dc8a90e094838162555e8c082dea1

SHA512
f0d557ff19af550ac006ecaa96d8b4d20d51c94c2cd95cd0015e30cc21058a2ff4ef36fd0c01185dbbf3e4e4cebb78ed4bc388cb2c0f2018ebafb3a20e2e9acc

Download Submit
memory/1696-123-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1696-126-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/1696-103-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/1696-81-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/1696-79-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

Filesize
4KB

Download
memory/2080-24-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-17-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-39-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-38-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-37-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-36-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-35-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-34-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-33-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-77-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-76-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-75-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-74-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-73-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-72-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-71-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-70-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-65-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-41-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-42-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-43-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-32-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-31-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-30-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-29-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-27-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-26-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-25-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-0-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

Filesize
4KB

Download
memory/2080-23-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-22-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-21-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-20-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-19-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-18-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-40-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-16-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-15-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-14-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-13-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-12-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-11-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-10-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-9-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-8-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-6-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-5-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-4-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-44-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-46-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-47-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-87-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-89-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-94-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-95-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-48-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-93-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-91-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-90-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-88-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-92-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2080-101-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2080-102-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-28-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2080-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2080-7-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2828-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-99-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download