Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 11:30
Static task
static1
Behavioral task
behavioral1
Sample
Akt nachalo iyulya.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
Akt nachalo iyulya.exe
-
Size
1.1MB
-
MD5
7f7c5cacc9352348efed2bd68321dae6
-
SHA1
a01fe5803a58bdb1f3095806433186efbfc6f409
-
SHA256
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
-
SHA512
5cd1662246f7c6f3b3107d710c0ff754ed8c7bacaf5b6115a3c87ac54c95dd5ea08973ca72a609582620928dda2ea43f3af4aaf8e7971dbbdd48c1ca2f44a234
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Akt nachalo iyulya.exeAkt nachalo iyulya.execmd.exedescription pid process target process PID 3068 wrote to memory of 3836 3068 Akt nachalo iyulya.exe Akt nachalo iyulya.exe PID 3068 wrote to memory of 3836 3068 Akt nachalo iyulya.exe Akt nachalo iyulya.exe PID 3068 wrote to memory of 3836 3068 Akt nachalo iyulya.exe Akt nachalo iyulya.exe PID 3836 wrote to memory of 3600 3836 Akt nachalo iyulya.exe cmd.exe PID 3836 wrote to memory of 3600 3836 Akt nachalo iyulya.exe cmd.exe PID 3600 wrote to memory of 3372 3600 cmd.exe PING.EXE PID 3600 wrote to memory of 3372 3600 cmd.exe PING.EXE -
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
Akt nachalo iyulya.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Akt nachalo iyulya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName Akt nachalo iyulya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName Akt nachalo iyulya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Akt nachalo iyulya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Akt nachalo iyulya.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Akt nachalo iyulya.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Akt nachalo iyulya.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
Akt nachalo iyulya.exedescription pid process Token: SeImpersonatePrivilege 3836 Akt nachalo iyulya.exe Token: SeTcbPrivilege 3836 Akt nachalo iyulya.exe Token: SeChangeNotifyPrivilege 3836 Akt nachalo iyulya.exe Token: SeCreateTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeBackupPrivilege 3836 Akt nachalo iyulya.exe Token: SeRestorePrivilege 3836 Akt nachalo iyulya.exe Token: SeIncreaseQuotaPrivilege 3836 Akt nachalo iyulya.exe Token: SeAssignPrimaryTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeImpersonatePrivilege 3836 Akt nachalo iyulya.exe Token: SeTcbPrivilege 3836 Akt nachalo iyulya.exe Token: SeChangeNotifyPrivilege 3836 Akt nachalo iyulya.exe Token: SeCreateTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeBackupPrivilege 3836 Akt nachalo iyulya.exe Token: SeRestorePrivilege 3836 Akt nachalo iyulya.exe Token: SeIncreaseQuotaPrivilege 3836 Akt nachalo iyulya.exe Token: SeAssignPrimaryTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeImpersonatePrivilege 3836 Akt nachalo iyulya.exe Token: SeTcbPrivilege 3836 Akt nachalo iyulya.exe Token: SeChangeNotifyPrivilege 3836 Akt nachalo iyulya.exe Token: SeCreateTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeBackupPrivilege 3836 Akt nachalo iyulya.exe Token: SeRestorePrivilege 3836 Akt nachalo iyulya.exe Token: SeIncreaseQuotaPrivilege 3836 Akt nachalo iyulya.exe Token: SeAssignPrimaryTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeImpersonatePrivilege 3836 Akt nachalo iyulya.exe Token: SeTcbPrivilege 3836 Akt nachalo iyulya.exe Token: SeChangeNotifyPrivilege 3836 Akt nachalo iyulya.exe Token: SeCreateTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeBackupPrivilege 3836 Akt nachalo iyulya.exe Token: SeRestorePrivilege 3836 Akt nachalo iyulya.exe Token: SeIncreaseQuotaPrivilege 3836 Akt nachalo iyulya.exe Token: SeAssignPrimaryTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeImpersonatePrivilege 3836 Akt nachalo iyulya.exe Token: SeTcbPrivilege 3836 Akt nachalo iyulya.exe Token: SeChangeNotifyPrivilege 3836 Akt nachalo iyulya.exe Token: SeCreateTokenPrivilege 3836 Akt nachalo iyulya.exe Token: SeBackupPrivilege 3836 Akt nachalo iyulya.exe Token: SeRestorePrivilege 3836 Akt nachalo iyulya.exe Token: SeIncreaseQuotaPrivilege 3836 Akt nachalo iyulya.exe Token: SeAssignPrimaryTokenPrivilege 3836 Akt nachalo iyulya.exe -
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 3 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
- Checks for installed software on the system
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3372