a0a2d1fc3ad4683f8cdd5ab29312f5c515e8543404926a94db641022c9ab40f8

Analysis

Target

Dokumenty, sverka za ves' aprel'.exe
Size

1.2MB
MD5

3448bd5bfb42260c58d727ae038a3692
SHA1

e4581240bbb01ed6c76a1a7f4baccfaf80a0989a
SHA256

25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
SHA512

2eed63faeca539e8679744fad79d60b406f038f845f5ca9e2f9288d8622da1f8ed33f4d3b90f68b9f23cb6a3bf5ba6afc4af195c9963423315c09c8640abeef3

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1208 PING.EXE
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 WinHttp.WinHttpRequest.5.1
HTTP User-Agent header 13 WinHttp.WinHttpRequest.5.1

pid	process
1208	PING.EXE

description	flow	ioc
HTTP User-Agent header	11	WinHttp.WinHttpRequest.5.1
HTTP User-Agent header	13	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Dokumenty, sverka za ves' aprel'.exeDokumenty, sverka za ves' aprel'.execmd.exe

description	pid	process	target process
PID 3948 wrote to memory of 4504	3948	Dokumenty, sverka za ves' aprel'.exe	Dokumenty, sverka za ves' aprel'.exe
PID 3948 wrote to memory of 4504	3948	Dokumenty, sverka za ves' aprel'.exe	Dokumenty, sverka za ves' aprel'.exe
PID 3948 wrote to memory of 4504	3948	Dokumenty, sverka za ves' aprel'.exe	Dokumenty, sverka za ves' aprel'.exe
PID 4504 wrote to memory of 340	4504	Dokumenty, sverka za ves' aprel'.exe	cmd.exe
PID 4504 wrote to memory of 340	4504	Dokumenty, sverka za ves' aprel'.exe	cmd.exe
PID 340 wrote to memory of 1208	340	cmd.exe	PING.EXE
PID 340 wrote to memory of 1208	340	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe
"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe
"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe" dfsr
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:340

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/340-134-0x0000000000000000-mapping.dmp

Download
memory/1208-135-0x0000000000000000-mapping.dmp

Download
memory/3948-132-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/3948-131-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/4504-130-0x0000000000000000-mapping.dmp

Download
memory/4504-133-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download