Analysis
-
max time kernel
142s -
max time network
65s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-05-2020 19:55
Static task
static1
Behavioral task
behavioral1
Sample
Sverit' dannye za konec maya.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
Sverit' dannye za konec maya.exe
-
Size
246KB
-
MD5
56b782641675c1f36899e3863871d569
-
SHA1
cf3064a8865834e531d793a7f6ad374acbdc5cc5
-
SHA256
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
-
SHA512
6134b3faabdbd4e1a6764c3d0a1011af21ec1feaf603405de3bfd7792c7ee37b7e49d0581227e42d5d60f974d82a7e3cf43b72a8e605058efc4bad1d02153345
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
Sverit' dannye za konec maya.exedescription pid process Token: SeImpersonatePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeTcbPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeChangeNotifyPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeCreateTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeBackupPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeRestorePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeIncreaseQuotaPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeAssignPrimaryTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeImpersonatePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeTcbPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeChangeNotifyPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeCreateTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeBackupPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeRestorePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeIncreaseQuotaPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeAssignPrimaryTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeImpersonatePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeTcbPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeChangeNotifyPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeCreateTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeBackupPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeRestorePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeIncreaseQuotaPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeAssignPrimaryTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeImpersonatePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeTcbPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeChangeNotifyPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeCreateTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeBackupPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeRestorePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeIncreaseQuotaPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeAssignPrimaryTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeImpersonatePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeTcbPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeChangeNotifyPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeCreateTokenPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeBackupPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeRestorePrivilege 3188 Sverit' dannye za konec maya.exe Token: SeIncreaseQuotaPrivilege 3188 Sverit' dannye za konec maya.exe Token: SeAssignPrimaryTokenPrivilege 3188 Sverit' dannye za konec maya.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Sverit' dannye za konec maya.exeSverit' dannye za konec maya.exedescription pid process target process PID 3544 wrote to memory of 3188 3544 Sverit' dannye za konec maya.exe Sverit' dannye za konec maya.exe PID 3544 wrote to memory of 3188 3544 Sverit' dannye za konec maya.exe Sverit' dannye za konec maya.exe PID 3544 wrote to memory of 3188 3544 Sverit' dannye za konec maya.exe Sverit' dannye za konec maya.exe PID 3188 wrote to memory of 2088 3188 Sverit' dannye za konec maya.exe cmd.exe PID 3188 wrote to memory of 2088 3188 Sverit' dannye za konec maya.exe cmd.exe -
Script User-Agent 1 IoCs
Processes:
description flow ioc HTTP User-Agent header 8 WinHttp.WinHttpRequest.5.1 -
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
Sverit' dannye za konec maya.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Sverit' dannye za konec maya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Sverit' dannye za konec maya.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Sverit' dannye za konec maya.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Sverit' dannye za konec maya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName Sverit' dannye za konec maya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName Sverit' dannye za konec maya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Sverit' dannye za konec maya.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe" dfsr2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Sverit' dannye za konec maya.exe"3⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3188-0-0x0000000002DD0000-0x0000000002DEC000-memory.dmpFilesize
112KB