8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
76s
max time network
167s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri191454c4b4.exe
Size

151KB
MD5

7c8489d12be3a8b7c8d0a1cec55e2c34
SHA1

01d47c6e6809392ee6c85f3204d43b4dc5e83544
SHA256

6e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784
SHA512

83381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

5268839.exe3007104.exe5521072.exeWinHoster.exe

pid process

4904 5268839.exe
4952 3007104.exe
5064 5521072.exe
3344 WinHoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3007104.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3007104.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4104 4904 WerFault.exe 5268839.exe
3996 5064 WerFault.exe 5521072.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
4104	4904	WerFault.exe	5268839.exe
3996	5064	WerFault.exe	5521072.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

5268839.exe5521072.exeWerFault.exeWerFault.exe

pid	process
4904	5268839.exe
5064	5521072.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
4104	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe
3996	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Fri191454c4b4.exe5268839.exe5521072.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4820	Fri191454c4b4.exe
Token: SeDebugPrivilege	4904	5268839.exe
Token: SeDebugPrivilege	5064	5521072.exe
Token: SeDebugPrivilege	4104	WerFault.exe
Token: SeRestorePrivilege	3996	WerFault.exe
Token: SeBackupPrivilege	3996	WerFault.exe
Token: SeBackupPrivilege	3996	WerFault.exe
Token: SeDebugPrivilege	3996	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Fri191454c4b4.exe3007104.exe

description	pid	process	target process
PID 4820 wrote to memory of 4904	4820	Fri191454c4b4.exe	5268839.exe
PID 4820 wrote to memory of 4904	4820	Fri191454c4b4.exe	5268839.exe
PID 4820 wrote to memory of 4952	4820	Fri191454c4b4.exe	3007104.exe
PID 4820 wrote to memory of 4952	4820	Fri191454c4b4.exe	3007104.exe
PID 4820 wrote to memory of 4952	4820	Fri191454c4b4.exe	3007104.exe
PID 4820 wrote to memory of 5064	4820	Fri191454c4b4.exe	5521072.exe
PID 4820 wrote to memory of 5064	4820	Fri191454c4b4.exe	5521072.exe
PID 4820 wrote to memory of 5064	4820	Fri191454c4b4.exe	5521072.exe
PID 4952 wrote to memory of 3344	4952	3007104.exe	WinHoster.exe
PID 4952 wrote to memory of 3344	4952	3007104.exe	WinHoster.exe
PID 4952 wrote to memory of 3344	4952	3007104.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe
"C:\Users\Admin\AppData\Local\Temp\Fri191454c4b4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\ProgramData\5268839.exe
"C:\ProgramData\5268839.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4904 -s 2024
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\ProgramData\3007104.exe
"C:\ProgramData\3007104.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:3344

C:\ProgramData\5521072.exe
"C:\ProgramData\5521072.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2124
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3007104.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\ProgramData\3007104.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\ProgramData\5268839.exe
MD5
05213c90ae83f9a9721ec8556d989b3f

SHA1
6b08770d890d232fa912b4fbc3a18b7a69afa006

SHA256
3d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d

SHA512
1ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d

Download Submit
C:\ProgramData\5268839.exe
MD5
05213c90ae83f9a9721ec8556d989b3f

SHA1
6b08770d890d232fa912b4fbc3a18b7a69afa006

SHA256
3d4e9dcaedad519133be041dd9dc02d6ba9aa241a2f4ebc90bcf21147d5d5a9d

SHA512
1ff033fa4787ccdd1ffe2d97f1475597abe1a7af97076fa7ef09f370e54d3bac333530055048fa6272c3afef2ba57b63c219c99155483a4885ae1ffe823f2d0d

Download Submit
C:\ProgramData\5521072.exe
MD5
2c76b57419e7f8a66095faa6d53a687c

SHA1
33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

SHA256
496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

SHA512
1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

Download Submit
C:\ProgramData\5521072.exe
MD5
2c76b57419e7f8a66095faa6d53a687c

SHA1
33444cae4ddc3c2c0ce39fd0ec9c30fbbc714096

SHA256
496a6f3653e7e56b5fe18f0be1f46bd685ab3a41536fcb7075e11028b464b385

SHA512
1aa37ebadc0c1d29f87ef59074ba6c082369eb5b3ba297a34dcf9f5d5a9ca0664e33051d3b6346910fd0d49c69068ee99c8ed2464fff63679c1cf11362ddadfc

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
memory/3344-162-0x000000000E730000-0x000000000E731000-memory.dmp

Filesize
4KB

Download
memory/3344-164-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3344-151-0x0000000000000000-mapping.dmp

Download
memory/4820-118-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4820-123-0x000000001B9F0000-0x000000001B9F2000-memory.dmp

Filesize
8KB

Download
memory/4820-122-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/4820-121-0x00000000013F0000-0x000000000140C000-memory.dmp

Filesize
112KB

Download
memory/4820-120-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4904-132-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/4904-124-0x0000000000000000-mapping.dmp

Download
memory/4904-134-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4904-129-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4904-140-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/4904-127-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4952-139-0x000000000A140000-0x000000000A141000-memory.dmp

Filesize
4KB

Download
memory/4952-141-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/4952-130-0x0000000000000000-mapping.dmp

Download
memory/4952-135-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4952-145-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4952-137-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/4952-138-0x00000000051C0000-0x00000000051CC000-memory.dmp

Filesize
48KB

Download
memory/5064-148-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/5064-150-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/5064-149-0x0000000005760000-0x0000000005797000-memory.dmp

Filesize
220KB

Download
memory/5064-154-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/5064-146-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/5064-163-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/5064-142-0x0000000000000000-mapping.dmp

Download
memory/5064-167-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download