Analysis
-
max time kernel
4265064s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 10:27
Static task
static1
Behavioral task
behavioral1
Sample
3443c50a3f82c68489c42f416079135d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3443c50a3f82c68489c42f416079135d.exe
Resource
win10v2004-en-20220112
General
-
Target
3443c50a3f82c68489c42f416079135d.exe
-
Size
280KB
-
MD5
3443c50a3f82c68489c42f416079135d
-
SHA1
c55d29de699a66ffc4df52dbb917e3ac40759523
-
SHA256
85dd04331f4c472e795d3cd3fbd9f6fd165b05af55aa94d429a2c90d56c46227
-
SHA512
b03eb8159c2edf8f17c14e32e48de2673a4a1cd4fc27345af16bbb161ddd4bc1a2bc2a5a392819dc50644e0ccfc47d16372d3d2ccec36860d6569b75c6398ca8
Malware Config
Extracted
arkei
homesteadr
http://homesteadr.link/ggate.php
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1000 created 3312 1000 WerFault.exe 3443c50a3f82c68489c42f416079135d.exe -
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3312-132-0x0000000000400000-0x00000000005D0000-memory.dmp family_arkei behavioral2/memory/3312-131-0x0000000000780000-0x000000000079C000-memory.dmp family_arkei -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3443c50a3f82c68489c42f416079135d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 3443c50a3f82c68489c42f416079135d.exe -
Loads dropped DLL 3 IoCs
Processes:
3443c50a3f82c68489c42f416079135d.exepid process 3312 3443c50a3f82c68489c42f416079135d.exe 3312 3443c50a3f82c68489c42f416079135d.exe 3312 3443c50a3f82c68489c42f416079135d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1852 3312 WerFault.exe 3443c50a3f82c68489c42f416079135d.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeMusNotification.exe3443c50a3f82c68489c42f416079135d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3443c50a3f82c68489c42f416079135d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3443c50a3f82c68489c42f416079135d.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3592 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 1852 WerFault.exe 1852 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MusNotification.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 1016 MusNotification.exe Token: SeCreatePagefilePrivilege 1016 MusNotification.exe Token: SeRestorePrivilege 1852 WerFault.exe Token: SeBackupPrivilege 1852 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3443c50a3f82c68489c42f416079135d.execmd.exeWerFault.exedescription pid process target process PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe cmd.exe PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe cmd.exe PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe cmd.exe PID 2416 wrote to memory of 3592 2416 cmd.exe timeout.exe PID 2416 wrote to memory of 3592 2416 cmd.exe timeout.exe PID 2416 wrote to memory of 3592 2416 cmd.exe timeout.exe PID 1000 wrote to memory of 3312 1000 WerFault.exe 3443c50a3f82c68489c42f416079135d.exe PID 1000 wrote to memory of 3312 1000 WerFault.exe 3443c50a3f82c68489c42f416079135d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe"C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 14882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3312 -ip 33121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
memory/2416-136-0x0000000000000000-mapping.dmp
-
memory/3312-130-0x0000000000668000-0x0000000000679000-memory.dmpFilesize
68KB
-
memory/3312-132-0x0000000000400000-0x00000000005D0000-memory.dmpFilesize
1.8MB
-
memory/3312-131-0x0000000000780000-0x000000000079C000-memory.dmpFilesize
112KB
-
memory/3592-137-0x0000000000000000-mapping.dmp