Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:35
Behavioral task
behavioral1
Sample
Dokumenty, sverka za ves' aprel'.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Dokumenty, sverka za ves' aprel'.exe
-
Size
1.2MB
-
MD5
3448bd5bfb42260c58d727ae038a3692
-
SHA1
e4581240bbb01ed6c76a1a7f4baccfaf80a0989a
-
SHA256
25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
-
SHA512
2eed63faeca539e8679744fad79d60b406f038f845f5ca9e2f9288d8622da1f8ed33f4d3b90f68b9f23cb6a3bf5ba6afc4af195c9963423315c09c8640abeef3
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 13 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Dokumenty, sverka za ves' aprel'.exeDokumenty, sverka za ves' aprel'.execmd.exedescription pid process target process PID 3948 wrote to memory of 4504 3948 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 3948 wrote to memory of 4504 3948 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 3948 wrote to memory of 4504 3948 Dokumenty, sverka za ves' aprel'.exe Dokumenty, sverka za ves' aprel'.exe PID 4504 wrote to memory of 340 4504 Dokumenty, sverka za ves' aprel'.exe cmd.exe PID 4504 wrote to memory of 340 4504 Dokumenty, sverka za ves' aprel'.exe cmd.exe PID 340 wrote to memory of 1208 340 cmd.exe PING.EXE PID 340 wrote to memory of 1208 340 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Dokumenty, sverka za ves' aprel'.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/340-134-0x0000000000000000-mapping.dmp
-
memory/1208-135-0x0000000000000000-mapping.dmp
-
memory/3948-132-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB
-
memory/3948-131-0x00000000006C0000-0x00000000006CE000-memory.dmpFilesize
56KB
-
memory/4504-130-0x0000000000000000-mapping.dmp
-
memory/4504-133-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB