Analysis
-
max time kernel
112s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
Paket za proshlyj mesyac.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Paket za proshlyj mesyac.exe
-
Size
1.4MB
-
MD5
03208be2340bbfea174cff970976b2c7
-
SHA1
e91ff54b19a37dc71af84902024de85f3c176f01
-
SHA256
785fb441663997067c0126c5574423d01242220e107db86c847ad8ea30752729
-
SHA512
f936f22581220c2ba3419decbcd49ad5f5270d52a839567d98c512b214082c366f7cbd20f9eb44e78a644c4eb9bb1575fc25a9ecca4f8b436b06de9da87d6d65
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 14 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Paket za proshlyj mesyac.exePaket za proshlyj mesyac.execmd.exedescription pid process target process PID 3932 wrote to memory of 4844 3932 Paket za proshlyj mesyac.exe Paket za proshlyj mesyac.exe PID 3932 wrote to memory of 4844 3932 Paket za proshlyj mesyac.exe Paket za proshlyj mesyac.exe PID 3932 wrote to memory of 4844 3932 Paket za proshlyj mesyac.exe Paket za proshlyj mesyac.exe PID 4844 wrote to memory of 5032 4844 Paket za proshlyj mesyac.exe cmd.exe PID 4844 wrote to memory of 5032 4844 Paket za proshlyj mesyac.exe cmd.exe PID 5032 wrote to memory of 220 5032 cmd.exe PING.EXE PID 5032 wrote to memory of 220 5032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/220-135-0x0000000000000000-mapping.dmp
-
memory/3932-130-0x0000000002170000-0x000000000217E000-memory.dmpFilesize
56KB
-
memory/3932-131-0x0000000000400000-0x000000000056A000-memory.dmpFilesize
1.4MB
-
memory/4844-132-0x0000000000000000-mapping.dmp
-
memory/4844-133-0x0000000000400000-0x000000000056A000-memory.dmpFilesize
1.4MB
-
memory/5032-134-0x0000000000000000-mapping.dmp