Overview
overview
10Static
static
10Fri191454c4b4.exe
windows7_x64
8Fri191454c4b4.exe
windows10_x64
8Fri1921f7a9d3.exe
windows7_x64
10Fri1921f7a9d3.exe
windows10_x64
10Fri192902b3c24.exe
windows7_x64
10Fri192902b3c24.exe
windows10_x64
10Fri192b9eeaa03b.exe
windows7_x64
10Fri192b9eeaa03b.exe
windows10_x64
10Fri192c305b4a.exe
windows7_x64
10Fri192c305b4a.exe
windows10_x64
10Fri192f077...dd.exe
windows7_x64
10Fri192f077...dd.exe
windows10_x64
10Fri195cd4d...97.exe
windows7_x64
10Fri195cd4d...97.exe
windows10_x64
10Fri19870e2...44.exe
windows7_x64
10Fri19870e2...44.exe
windows10_x64
10Fri19927b4...d1.exe
windows7_x64
10Fri19927b4...d1.exe
windows10_x64
10Fri19ca03f05489b.exe
windows7_x64
6Fri19ca03f05489b.exe
windows10_x64
6Fri19d30056588.exe
windows7_x64
10Fri19d30056588.exe
windows10_x64
10libcurl.dll
windows7_x64
3libcurl.dll
windows10_x64
3libcurlpp.dll
windows7_x64
libcurlpp.dll
windows10_x64
3libgcc_s_dw2-1.dll
windows7_x64
libgcc_s_dw2-1.dll
windows10_x64
3libstdc++-6.dll
windows7_x64
3libstdc++-6.dll
windows10_x64
3libwinpthread-1.dll
windows7_x64
1libwinpthread-1.dll
windows10_x64
1Analysis
-
max time kernel
76s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en -
submitted
10-09-2021 21:28
Behavioral task
behavioral1
Sample
Fri191454c4b4.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Fri191454c4b4.exe
Resource
win10-en
Behavioral task
behavioral3
Sample
Fri1921f7a9d3.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Fri1921f7a9d3.exe
Resource
win10-en
Behavioral task
behavioral5
Sample
Fri192902b3c24.exe
Resource
win7-en
Behavioral task
behavioral6
Sample
Fri192902b3c24.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Fri192b9eeaa03b.exe
Resource
win7-en
Behavioral task
behavioral8
Sample
Fri192b9eeaa03b.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
Fri192c305b4a.exe
Resource
win7-en
Behavioral task
behavioral10
Sample
Fri192c305b4a.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Fri192f077acf656dd.exe
Resource
win7-en
Behavioral task
behavioral12
Sample
Fri192f077acf656dd.exe
Resource
win10-en
Behavioral task
behavioral13
Sample
Fri195cd4dbfdf37897.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
Fri195cd4dbfdf37897.exe
Resource
win10-en
Behavioral task
behavioral15
Sample
Fri19870e2febf5544.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
Fri19870e2febf5544.exe
Resource
win10-en
Behavioral task
behavioral17
Sample
Fri19927b4fe38a9d1.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
Fri19927b4fe38a9d1.exe
Resource
win10-en
Behavioral task
behavioral19
Sample
Fri19ca03f05489b.exe
Resource
win7-en
Behavioral task
behavioral20
Sample
Fri19ca03f05489b.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
Fri19d30056588.exe
Resource
win7-en
Behavioral task
behavioral22
Sample
Fri19d30056588.exe
Resource
win10v20210408
Behavioral task
behavioral23
Sample
libcurl.dll
Resource
win7-en
Behavioral task
behavioral24
Sample
libcurl.dll
Resource
win10v20210408
Behavioral task
behavioral25
Sample
libcurlpp.dll
Resource
win7-en
Behavioral task
behavioral26
Sample
libcurlpp.dll
Resource
win10v20210408
Behavioral task
behavioral27
Sample
libgcc_s_dw2-1.dll
Resource
win7-en
Behavioral task
behavioral28
Sample
libgcc_s_dw2-1.dll
Resource
win10-en
Behavioral task
behavioral29
Sample
libstdc++-6.dll
Resource
win7v20210408
Behavioral task
behavioral30
Sample
libstdc++-6.dll
Resource
win10-en
Behavioral task
behavioral31
Sample
libwinpthread-1.dll
Resource
win7v20210408
Behavioral task
behavioral32
Sample
libwinpthread-1.dll
Resource
win10-en
General
-
Target
Fri191454c4b4.exe
-
Size
151KB
-
MD5
7c8489d12be3a8b7c8d0a1cec55e2c34
-
SHA1
01d47c6e6809392ee6c85f3204d43b4dc5e83544
-
SHA256
6e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784
-
SHA512
83381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
5268839.exe3007104.exe5521072.exeWinHoster.exepid process 4904 5268839.exe 4952 3007104.exe 5064 5521072.exe 3344 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3007104.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 3007104.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4104 4904 WerFault.exe 5268839.exe 3996 5064 WerFault.exe 5521072.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
5268839.exe5521072.exeWerFault.exeWerFault.exepid process 4904 5268839.exe 5064 5521072.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 4104 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe 3996 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Fri191454c4b4.exe5268839.exe5521072.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4820 Fri191454c4b4.exe Token: SeDebugPrivilege 4904 5268839.exe Token: SeDebugPrivilege 5064 5521072.exe Token: SeDebugPrivilege 4104 WerFault.exe Token: SeRestorePrivilege 3996 WerFault.exe Token: SeBackupPrivilege 3996 WerFault.exe Token: SeBackupPrivilege 3996 WerFault.exe Token: SeDebugPrivilege 3996 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Fri191454c4b4.exe3007104.exedescription pid process target process PID 4820 wrote to memory of 4904 4820 Fri191454c4b4.exe 5268839.exe PID 4820 wrote to memory of 4904 4820 Fri191454c4b4.exe 5268839.exe PID 4820 wrote to memory of 4952 4820 Fri191454c4b4.exe 3007104.exe PID 4820 wrote to memory of 4952 4820 Fri191454c4b4.exe 3007104.exe PID 4820 wrote to memory of 4952 4820 Fri191454c4b4.exe 3007104.exe PID 4820 wrote to memory of 5064 4820 Fri191454c4b4.exe 5521072.exe PID 4820 wrote to memory of 5064 4820 Fri191454c4b4.exe 5521072.exe PID 4820 wrote to memory of 5064 4820 Fri191454c4b4.exe 5521072.exe PID 4952 wrote to memory of 3344 4952 3007104.exe WinHoster.exe PID 4952 wrote to memory of 3344 4952 3007104.exe WinHoster.exe PID 4952 wrote to memory of 3344 4952 3007104.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe"C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\5268839.exe"C:\ProgramData\5268839.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4904 -s 20243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\3007104.exe"C:\ProgramData\3007104.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\5521072.exe"C:\ProgramData\5521072.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 21243⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3007104.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\ProgramData\3007104.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\ProgramData\5268839.exeMD5
05213c90ae83f9a9721ec8556d989b3f
SHA16b08770d890d232fa912b4fbc3a18b7a69afa006
SHA2563d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d
SHA5121ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d
-
C:\ProgramData\5268839.exeMD5
05213c90ae83f9a9721ec8556d989b3f
SHA16b08770d890d232fa912b4fbc3a18b7a69afa006
SHA2563d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d
SHA5121ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d
-
C:\ProgramData\5521072.exeMD5
2c76b57419e7f8a66095faa6d53a687c
SHA133444cae4ddc3c2c0ce39fd0ec9c30fbbc714096
SHA256496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385
SHA5121aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc
-
C:\ProgramData\5521072.exeMD5
2c76b57419e7f8a66095faa6d53a687c
SHA133444cae4ddc3c2c0ce39fd0ec9c30fbbc714096
SHA256496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385
SHA5121aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
memory/3344-162-0x000000000E730000-0x000000000E731000-memory.dmpFilesize
4KB
-
memory/3344-164-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3344-151-0x0000000000000000-mapping.dmp
-
memory/4820-118-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/4820-123-0x000000001B9F0000-0x000000001B9F2000-memory.dmpFilesize
8KB
-
memory/4820-122-0x0000000001410000-0x0000000001411000-memory.dmpFilesize
4KB
-
memory/4820-121-0x00000000013F0000-0x000000000140C000-memory.dmpFilesize
112KB
-
memory/4820-120-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/4904-132-0x0000000000E70000-0x0000000000EA0000-memory.dmpFilesize
192KB
-
memory/4904-124-0x0000000000000000-mapping.dmp
-
memory/4904-134-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4904-129-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/4904-140-0x000000001B170000-0x000000001B172000-memory.dmpFilesize
8KB
-
memory/4904-127-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/4952-139-0x000000000A140000-0x000000000A141000-memory.dmpFilesize
4KB
-
memory/4952-141-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/4952-130-0x0000000000000000-mapping.dmp
-
memory/4952-135-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/4952-145-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/4952-137-0x00000000018F0000-0x00000000018F1000-memory.dmpFilesize
4KB
-
memory/4952-138-0x00000000051C0000-0x00000000051CC000-memory.dmpFilesize
48KB
-
memory/5064-148-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB
-
memory/5064-150-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/5064-149-0x0000000005760000-0x0000000005797000-memory.dmpFilesize
220KB
-
memory/5064-154-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/5064-146-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/5064-163-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/5064-142-0x0000000000000000-mapping.dmp
-
memory/5064-167-0x0000000005F90000-0x0000000005F91000-memory.dmpFilesize
4KB