68d21d20f6a9f46d9151aae1005b0e0335a8ec731aa9793d5d234307d4b7c0d8

Analysis

Target

Paket za proshlyj mesyac.exe
Size

1.4MB
MD5

03208be2340bbfea174cff970976b2c7
SHA1

e91ff54b19a37dc71af84902024de85f3c176f01
SHA256

785fb441663997067c0126c5574423d01242220e107db86c847ad8ea30752729
SHA512

f936f22581220c2ba3419decbcd49ad5f5270d52a839567d98c512b214082c366f7cbd20f9eb44e78a644c4eb9bb1575fc25a9ecca4f8b436b06de9da87d6d65

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

220 PING.EXE
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 12 WinHttp.WinHttpRequest.5.1
HTTP User-Agent header 14 WinHttp.WinHttpRequest.5.1

pid	process
220	PING.EXE

description	flow	ioc
HTTP User-Agent header	12	WinHttp.WinHttpRequest.5.1
HTTP User-Agent header	14	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Paket za proshlyj mesyac.exePaket za proshlyj mesyac.execmd.exe

description	pid	process	target process
PID 3932 wrote to memory of 4844	3932	Paket za proshlyj mesyac.exe	Paket za proshlyj mesyac.exe
PID 3932 wrote to memory of 4844	3932	Paket za proshlyj mesyac.exe	Paket za proshlyj mesyac.exe
PID 3932 wrote to memory of 4844	3932	Paket za proshlyj mesyac.exe	Paket za proshlyj mesyac.exe
PID 4844 wrote to memory of 5032	4844	Paket za proshlyj mesyac.exe	cmd.exe
PID 4844 wrote to memory of 5032	4844	Paket za proshlyj mesyac.exe	cmd.exe
PID 5032 wrote to memory of 220	5032	cmd.exe	PING.EXE
PID 5032 wrote to memory of 220	5032	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe
"C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe
"C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe" dfsr
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Paket za proshlyj mesyac.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5032

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/220-135-0x0000000000000000-mapping.dmp

Download
memory/3932-130-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/3932-131-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4844-133-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/5032-134-0x0000000000000000-mapping.dmp

Download