Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 11:27
Static task
static1
Behavioral task
behavioral1
Sample
Zayavka konec proshlogo mesyaca.exe
Resource
win7v200722
General
-
Target
Zayavka konec proshlogo mesyaca.exe
-
Size
1.4MB
-
MD5
aa09b35809b0c229b78c7b0fd97ec85a
-
SHA1
2f635c709a52ccae9c00a74864bad3c1fd18991a
-
SHA256
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
-
SHA512
9f8a87acede109c5f75393be3caeb352492d5d7f388627d73b93cb9cdadbf42fa507c1f4b01460da85f60ae26df841fcf3c3dd5291215a40eb7ecbfda9b82f0b
Malware Config
Signatures
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Zayavka konec proshlogo mesyaca.exeZayavka konec proshlogo mesyaca.execmd.exedescription pid process target process PID 3216 wrote to memory of 3224 3216 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 3216 wrote to memory of 3224 3216 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 3216 wrote to memory of 3224 3216 Zayavka konec proshlogo mesyaca.exe Zayavka konec proshlogo mesyaca.exe PID 3224 wrote to memory of 3932 3224 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 3224 wrote to memory of 3932 3224 Zayavka konec proshlogo mesyaca.exe cmd.exe PID 3932 wrote to memory of 3732 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3732 3932 cmd.exe PING.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
Zayavka konec proshlogo mesyaca.exedescription pid process Token: SeImpersonatePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeImpersonatePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeTcbPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeChangeNotifyPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeCreateTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeBackupPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeRestorePrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeIncreaseQuotaPrivilege 3224 Zayavka konec proshlogo mesyaca.exe Token: SeAssignPrimaryTokenPrivilege 3224 Zayavka konec proshlogo mesyaca.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Zayavka konec proshlogo mesyaca.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe