2beab06a68f9fe2dbe40ae26497b0226293b67acc89d496b6863594dfd023597

General

Target

Akt sverki nachalo iyulya.exe
Size

998KB
MD5

e35bc27eaa316431da022774ad0b9ab7
SHA1

9e937f904319dbc8d7d8cdef81119ded0db96093
SHA256

65163c2a5608d66d615a284943d5ebf811a78e6ecebec47835b4680a19d07518
SHA512

9167f11c31cfead7e1b199ce754461ad28563175bba0756e24256992dfaa10c6b136139ac0261551c623e9b23255bd2bde91646d54a928704b8a711cfbb6d21b

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
584	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Akt sverki nachalo iyulya.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Akt sverki nachalo iyulya.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Akt sverki nachalo iyulya.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1556 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1

pid	process
1556	PING.EXE

description	flow	ioc
HTTP User-Agent header	4	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Akt sverki nachalo iyulya.exeAkt sverki nachalo iyulya.execmd.exe

description	pid	process	target process
PID 480 wrote to memory of 884	480	Akt sverki nachalo iyulya.exe	Akt sverki nachalo iyulya.exe
PID 480 wrote to memory of 884	480	Akt sverki nachalo iyulya.exe	Akt sverki nachalo iyulya.exe
PID 480 wrote to memory of 884	480	Akt sverki nachalo iyulya.exe	Akt sverki nachalo iyulya.exe
PID 480 wrote to memory of 884	480	Akt sverki nachalo iyulya.exe	Akt sverki nachalo iyulya.exe
PID 884 wrote to memory of 584	884	Akt sverki nachalo iyulya.exe	cmd.exe
PID 884 wrote to memory of 584	884	Akt sverki nachalo iyulya.exe	cmd.exe
PID 884 wrote to memory of 584	884	Akt sverki nachalo iyulya.exe	cmd.exe
PID 884 wrote to memory of 584	884	Akt sverki nachalo iyulya.exe	cmd.exe
PID 584 wrote to memory of 1556	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1556	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1556	584	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe
"C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe
"C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe" dfsr
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Akt sverki nachalo iyulya.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-54-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/480-56-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/480-58-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/884-55-0x0000000000000000-mapping.dmp

Download
memory/884-59-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1556-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing