Analysis
-
max time kernel
124s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:34
Behavioral task
behavioral1
Sample
Sverka maj.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Sverka maj.exe
-
Size
187KB
-
MD5
9c36d806f114ad981ed65f3763e04131
-
SHA1
8b546cede088ececf790ac1cafb02cf5a0366c8e
-
SHA256
489f3a394942157dbc0ed01c09989288c1a87a2d7b80a6382a4338094b35d710
-
SHA512
7fb6bb68f45f5fe39ff61c7cd445c71039ddb1260c1a25fe61059ecb03f99f41db2ffd1a273f250168d5c592d2aa6d0fb1bc09a2293057dd5dbbfa6fd4712fe3
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 6 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 8 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Sverka maj.exeSverka maj.execmd.exedescription pid process target process PID 2176 wrote to memory of 4128 2176 Sverka maj.exe Sverka maj.exe PID 2176 wrote to memory of 4128 2176 Sverka maj.exe Sverka maj.exe PID 2176 wrote to memory of 4128 2176 Sverka maj.exe Sverka maj.exe PID 4128 wrote to memory of 4100 4128 Sverka maj.exe cmd.exe PID 4128 wrote to memory of 4100 4128 Sverka maj.exe cmd.exe PID 4100 wrote to memory of 4940 4100 cmd.exe PING.EXE PID 4100 wrote to memory of 4940 4100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sverka maj.exe"C:\Users\Admin\AppData\Local\Temp\Sverka maj.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sverka maj.exe"C:\Users\Admin\AppData\Local\Temp\Sverka maj.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Sverka maj.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2176-131-0x0000000002170000-0x000000000217E000-memory.dmpFilesize
56KB
-
memory/2176-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4100-134-0x0000000000000000-mapping.dmp
-
memory/4128-130-0x0000000000000000-mapping.dmp
-
memory/4128-133-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4940-135-0x0000000000000000-mapping.dmp