Analysis
-
max time kernel
153s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:35
Behavioral task
behavioral1
Sample
Dokumenty, sverka za ves' aprel'.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Dokumenty, sverka za ves' aprel'.exe
-
Size
1.2MB
-
MD5
3448bd5bfb42260c58d727ae038a3692
-
SHA1
e4581240bbb01ed6c76a1a7f4baccfaf80a0989a
-
SHA256
25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
-
SHA512
2eed63faeca539e8679744fad79d60b406f038f845f5ca9e2f9288d8622da1f8ed33f4d3b90f68b9f23cb6a3bf5ba6afc4af195c9963423315c09c8640abeef3
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Dokumenty, sverka za ves' aprel'.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Dokumenty, sverka za ves' aprel'.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Dokumenty, sverka za ves' aprel'.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Dokumenty, sverka za ves' aprel'.exedescription pid process target process PID 2016 wrote to memory of 1892 2016 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 2016 wrote to memory of 1892 2016 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 2016 wrote to memory of 1892 2016 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 2016 wrote to memory of 1892 2016 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe" dfsr2⤵
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-54-0x0000000000000000-mapping.dmp
-
memory/1892-57-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1892-58-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB
-
memory/2016-55-0x0000000000230000-0x000000000023E000-memory.dmpFilesize
56KB
-
memory/2016-56-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB