Analysis

  • max time kernel
    144s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-09-2021 21:28

General

  • Target

    Fri191454c4b4.exe

  • Size

    151KB

  • MD5

    7c8489d12be3a8b7c8d0a1cec55e2c34

  • SHA1

    01d47c6e6809392ee6c85f3204d43b4dc5e83544

  • SHA256

    6e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784

  • SHA512

    83381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\ProgramData\2541084.exe
      "C:\ProgramData\2541084.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1588 -s 1856
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
    • C:\ProgramData\3967917.exe
      "C:\ProgramData\3967917.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1012
    • C:\ProgramData\8780876.exe
      "C:\ProgramData\8780876.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1852
        3⤵
        • Loads dropped DLL
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\2541084.exe
    MD5

    05213c90ae83f9a9721ec8556d989b3f

    SHA1

    6b08770d890d232fa912b4fbc3a18b7a69afa006

    SHA256

    3d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d

    SHA512

    1ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d

  • C:\ProgramData\2541084.exe
    MD5

    05213c90ae83f9a9721ec8556d989b3f

    SHA1

    6b08770d890d232fa912b4fbc3a18b7a69afa006

    SHA256

    3d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d

    SHA512

    1ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d

  • C:\ProgramData\3967917.exe
    MD5

    b9295c5e9138ccf15d67771f3726c778

    SHA1

    40cd9d94e9913a52877f09f340a5c2604030409c

    SHA256

    8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

    SHA512

    4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

  • C:\ProgramData\3967917.exe
    MD5

    b9295c5e9138ccf15d67771f3726c778

    SHA1

    40cd9d94e9913a52877f09f340a5c2604030409c

    SHA256

    8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

    SHA512

    4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

  • C:\ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • C:\ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    b9295c5e9138ccf15d67771f3726c778

    SHA1

    40cd9d94e9913a52877f09f340a5c2604030409c

    SHA256

    8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

    SHA512

    4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    b9295c5e9138ccf15d67771f3726c778

    SHA1

    40cd9d94e9913a52877f09f340a5c2604030409c

    SHA256

    8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

    SHA512

    4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

  • \ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • \ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • \ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • \ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • \ProgramData\8780876.exe
    MD5

    2c76b57419e7f8a66095faa6d53a687c

    SHA1

    33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

    SHA256

    496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

    SHA512

    1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

  • \Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    b9295c5e9138ccf15d67771f3726c778

    SHA1

    40cd9d94e9913a52877f09f340a5c2604030409c

    SHA256

    8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

    SHA512

    4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

  • memory/1012-96-0x0000000001060000-0x0000000001061000-memory.dmp
    Filesize

    4KB

  • memory/1012-93-0x0000000000000000-mapping.dmp
  • memory/1012-101-0x0000000004990000-0x0000000004991000-memory.dmp
    Filesize

    4KB

  • memory/1092-86-0x00000000005C0000-0x00000000005C1000-memory.dmp
    Filesize

    4KB

  • memory/1092-78-0x0000000000000000-mapping.dmp
  • memory/1092-81-0x0000000000A00000-0x0000000000A01000-memory.dmp
    Filesize

    4KB

  • memory/1092-88-0x0000000000880000-0x00000000008B7000-memory.dmp
    Filesize

    220KB

  • memory/1092-89-0x00000000008C0000-0x00000000008C1000-memory.dmp
    Filesize

    4KB

  • memory/1092-91-0x00000000047E0000-0x00000000047E1000-memory.dmp
    Filesize

    4KB

  • memory/1176-82-0x0000000001170000-0x0000000001171000-memory.dmp
    Filesize

    4KB

  • memory/1176-85-0x00000000004C0000-0x00000000004C1000-memory.dmp
    Filesize

    4KB

  • memory/1176-87-0x00000000004D0000-0x00000000004DC000-memory.dmp
    Filesize

    48KB

  • memory/1176-90-0x00000000004E0000-0x00000000004E1000-memory.dmp
    Filesize

    4KB

  • memory/1176-74-0x0000000000000000-mapping.dmp
  • memory/1360-111-0x0000000000950000-0x0000000000951000-memory.dmp
    Filesize

    4KB

  • memory/1360-105-0x0000000000000000-mapping.dmp
  • memory/1588-73-0x0000000000480000-0x0000000000481000-memory.dmp
    Filesize

    4KB

  • memory/1588-77-0x000000001AE10000-0x000000001AE12000-memory.dmp
    Filesize

    8KB

  • memory/1588-71-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

  • memory/1588-69-0x0000000000D00000-0x0000000000D01000-memory.dmp
    Filesize

    4KB

  • memory/1588-72-0x0000000000450000-0x0000000000480000-memory.dmp
    Filesize

    192KB

  • memory/1588-66-0x0000000000000000-mapping.dmp
  • memory/1836-64-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

  • memory/1836-65-0x000000001AE10000-0x000000001AE12000-memory.dmp
    Filesize

    8KB

  • memory/1836-63-0x0000000000280000-0x000000000029C000-memory.dmp
    Filesize

    112KB

  • memory/1836-62-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

  • memory/1836-60-0x0000000000880000-0x0000000000881000-memory.dmp
    Filesize

    4KB

  • memory/1988-104-0x0000000002170000-0x0000000002171000-memory.dmp
    Filesize

    4KB

  • memory/1988-103-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp
    Filesize

    8KB

  • memory/1988-102-0x0000000000000000-mapping.dmp