Overview

overview

10

Static

static

Sverit' da...ya.exe

windows7_x64

10

Sverit' da...ya.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    29-05-2020 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sverit' dannye za konec maya.exe

  • Size

    246KB

  • MD5

    56b782641675c1f36899e3863871d569

  • SHA1

    cf3064a8865834e531d793a7f6ad374acbdc5cc5

  • SHA256

    e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf

  • SHA512

    6134b3faabdbd4e1a6764c3d0a1011af21ec1feaf603405de3bfd7792c7ee37b7e49d0581227e42d5d60f974d82a7e3cf43b72a8e605058efc4bad1d02153345

Score
10/10
spywarediscoveryratstealerpony

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
    spyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Script User-Agent 1 IoCs
  • Checks for installed software on the system 1 TTPs 7 IoCs
    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe
    "C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe
      "C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe" dfsr
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • Checks for installed software on the system
      PID:3188
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"
        3⤵
          PID:2088
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2156

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Remote System Discovery

    1
    T1018

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3188-0-0x0000000002DD0000-0x0000000002DEC000-memory.dmp
      Filesize

      112KB

      Download