40fc1e6f956763871d70c576634c8444713283d44cb09048b1d451d0f1f6207e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oplata ponedel'nik.exe
Size

1.1MB
MD5

9a4c7ae4bcaa653ffd966d17785ed92d
SHA1

610343dbeb9e63ddd7fa2cfb765c8dda3c37c150
SHA256

d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
SHA512

e6da37f1da3c075f0d435592eb69ef9cbfeb94f96f450b1a560fc7f9e7b6a5b903fdefa4fd2a749dfa0e3c5d0eac2777428e7dc92af0543cbc6ea55d3bf5d51f
SSDEEP

3072:jBMY6A1ztHItWsT3i9/bW/Yx00yuhUb+SIT5DWqKlYcrgx+ICPKGy3yLs3/BJ:jB5JHIl6au00yrqSIZWDlujT

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3948 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1

pid	process
3948	PING.EXE

description	flow	ioc
HTTP User-Agent header	4	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Oplata ponedel'nik.exeOplata ponedel'nik.execmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 4948	1564	Oplata ponedel'nik.exe	Oplata ponedel'nik.exe
PID 1564 wrote to memory of 4948	1564	Oplata ponedel'nik.exe	Oplata ponedel'nik.exe
PID 1564 wrote to memory of 4948	1564	Oplata ponedel'nik.exe	Oplata ponedel'nik.exe
PID 4948 wrote to memory of 432	4948	Oplata ponedel'nik.exe	cmd.exe
PID 4948 wrote to memory of 432	4948	Oplata ponedel'nik.exe	cmd.exe
PID 432 wrote to memory of 3948	432	cmd.exe	PING.EXE
PID 432 wrote to memory of 3948	432	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe
"C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe
  "C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe" dfsr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1564-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1564-1-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/4948-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4948-7-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4948-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4948-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4948-10-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download