Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 00:56
Behavioral task
behavioral1
Sample
Oplata ponedel'nik.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Oplata ponedel'nik.exe
-
Size
1.1MB
-
MD5
9a4c7ae4bcaa653ffd966d17785ed92d
-
SHA1
610343dbeb9e63ddd7fa2cfb765c8dda3c37c150
-
SHA256
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
-
SHA512
e6da37f1da3c075f0d435592eb69ef9cbfeb94f96f450b1a560fc7f9e7b6a5b903fdefa4fd2a749dfa0e3c5d0eac2777428e7dc92af0543cbc6ea55d3bf5d51f
-
SSDEEP
3072:jBMY6A1ztHItWsT3i9/bW/Yx00yuhUb+SIT5DWqKlYcrgx+ICPKGy3yLs3/BJ:jB5JHIl6au00yrqSIZWDlujT
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Oplata ponedel'nik.exeOplata ponedel'nik.execmd.exedescription pid process target process PID 1564 wrote to memory of 4948 1564 Oplata ponedel'nik.exe Oplata ponedel'nik.exe PID 1564 wrote to memory of 4948 1564 Oplata ponedel'nik.exe Oplata ponedel'nik.exe PID 1564 wrote to memory of 4948 1564 Oplata ponedel'nik.exe Oplata ponedel'nik.exe PID 4948 wrote to memory of 432 4948 Oplata ponedel'nik.exe cmd.exe PID 4948 wrote to memory of 432 4948 Oplata ponedel'nik.exe cmd.exe PID 432 wrote to memory of 3948 432 cmd.exe PING.EXE PID 432 wrote to memory of 3948 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe" dfsr2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Oplata ponedel'nik.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3948
-
-
-