Analysis
-
max time kernel
4265058s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/01/2022, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe
Resource
win10v2004-en-20220112
General
-
Target
7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe
-
Size
335KB
-
MD5
7a2d70556ffabb1735009b8dd26dff84
-
SHA1
5cb5e9a85d27c5d0eb40d1b7b230aeef0d167df5
-
SHA256
7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624
-
SHA512
97df75afb48dd920f523d0415ebd2c7c9f1d91c67c767ca31f66fa0ea99cf76525b605264ef6ede30a5306df80b01fe54bbaab71273d788e0e345678635dc5c0
Malware Config
Extracted
arkei
homesteadr
http://homesteadr.link/ggate.php
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3580 created 2712 3580 WerFault.exe 53 -
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/2712-132-0x0000000000400000-0x00000000005DC000-memory.dmp family_arkei behavioral1/memory/2712-131-0x0000000000780000-0x000000000079C000-memory.dmp family_arkei -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe -
Loads dropped DLL 3 IoCs
pid Process 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2964 2712 WerFault.exe 53 -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3556 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2964 WerFault.exe 2964 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 4060 MusNotification.exe Token: SeCreatePagefilePrivilege 4060 MusNotification.exe Token: SeRestorePrivilege 2964 WerFault.exe Token: SeBackupPrivilege 2964 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2712 wrote to memory of 1288 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe 60 PID 2712 wrote to memory of 1288 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe 60 PID 2712 wrote to memory of 1288 2712 7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe 60 PID 1288 wrote to memory of 3556 1288 cmd.exe 63 PID 1288 wrote to memory of 3556 1288 cmd.exe 63 PID 1288 wrote to memory of 3556 1288 cmd.exe 63 PID 3580 wrote to memory of 2712 3580 WerFault.exe 53 PID 3580 wrote to memory of 2712 3580 WerFault.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe"C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:3556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 14122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2712 -ip 27121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3580