Analysis
-
max time kernel
145s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 11:27
Static task
static1
Behavioral task
behavioral1
Sample
Zayavka konec proshlogo mesyaca.exe
Resource
win7v200722
General
-
Target
Zayavka konec proshlogo mesyaca.exe
-
Size
1.4MB
-
MD5
aa09b35809b0c229b78c7b0fd97ec85a
-
SHA1
2f635c709a52ccae9c00a74864bad3c1fd18991a
-
SHA256
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
-
SHA512
9f8a87acede109c5f75393be3caeb352492d5d7f388627d73b93cb9cdadbf42fa507c1f4b01460da85f60ae26df841fcf3c3dd5291215a40eb7ecbfda9b82f0b
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Zayavka konec proshlogo mesyaca.exeZayavka konec proshlogo mesyaca.execmd.exedescription pid process target process PID 1420 wrote to memory of 1464 1420 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 1420 wrote to memory of 1464 1420 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 1420 wrote to memory of 1464 1420 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 1420 wrote to memory of 1464 1420 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 1464 wrote to memory of 1316 1464 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 1464 wrote to memory of 1316 1464 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 1464 wrote to memory of 1316 1464 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 1464 wrote to memory of 1316 1464 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 1316 wrote to memory of 624 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 624 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 624 1316 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Zayavka konec proshlogo mesyaca.exedescription pid process Token: SeImpersonatePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 1464 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 1464 Zayavka konec proshlogo mesyaca.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1316 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe