Analysis
-
max time kernel
110s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:00
Behavioral task
behavioral1
Sample
Akt sverki nachalo iyulya.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Akt sverki nachalo iyulya.exe
-
Size
998KB
-
MD5
e35bc27eaa316431da022774ad0b9ab7
-
SHA1
9e937f904319dbc8d7d8cdef81119ded0db96093
-
SHA256
65163c2a5608d66d615a284943d5ebf811a78e6ecebec47835b4680a19d07518
-
SHA512
9167f11c31cfead7e1b199ce754461ad28563175bba0756e24256992dfaa10c6b136139ac0261551c623e9b23255bd2bde91646d54a928704b8a711cfbb6d21b
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 584 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Akt sverki nachalo iyulya.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Akt sverki nachalo iyulya.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Akt sverki nachalo iyulya.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Akt sverki nachalo iyulya.exeAkt sverki nachalo iyulya.execmd.exedescription pid process target process PID 480 wrote to memory of 884 480 Akt sverki nachalo iyulya.exe Akt sverki nachalo iyulya.exe PID 480 wrote to memory of 884 480 Akt sverki nachalo iyulya.exe Akt sverki nachalo iyulya.exe PID 480 wrote to memory of 884 480 Akt sverki nachalo iyulya.exe Akt sverki nachalo iyulya.exe PID 480 wrote to memory of 884 480 Akt sverki nachalo iyulya.exe Akt sverki nachalo iyulya.exe PID 884 wrote to memory of 584 884 Akt sverki nachalo iyulya.exe cmd.exe PID 884 wrote to memory of 584 884 Akt sverki nachalo iyulya.exe cmd.exe PID 884 wrote to memory of 584 884 Akt sverki nachalo iyulya.exe cmd.exe PID 884 wrote to memory of 584 884 Akt sverki nachalo iyulya.exe cmd.exe PID 584 wrote to memory of 1556 584 cmd.exe PING.EXE PID 584 wrote to memory of 1556 584 cmd.exe PING.EXE PID 584 wrote to memory of 1556 584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe" dfsr2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/480-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/480-56-0x0000000000220000-0x000000000022E000-memory.dmpFilesize
56KB
-
memory/480-58-0x0000000000400000-0x00000000004FE000-memory.dmpFilesize
1016KB
-
memory/584-60-0x0000000000000000-mapping.dmp
-
memory/884-55-0x0000000000000000-mapping.dmp
-
memory/884-59-0x0000000000400000-0x00000000004FE000-memory.dmpFilesize
1016KB
-
memory/1556-61-0x0000000000000000-mapping.dmp