Analysis
-
max time kernel
4265064s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/01/2022, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
3443c50a3f82c68489c42f416079135d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3443c50a3f82c68489c42f416079135d.exe
Resource
win10v2004-en-20220112
General
-
Target
3443c50a3f82c68489c42f416079135d.exe
-
Size
280KB
-
MD5
3443c50a3f82c68489c42f416079135d
-
SHA1
c55d29de699a66ffc4df52dbb917e3ac40759523
-
SHA256
85dd04331f4c472e795d3cd3fbd9f6fd165b05af55aa94d429a2c90d56c46227
-
SHA512
b03eb8159c2edf8f17c14e32e48de2673a4a1cd4fc27345af16bbb161ddd4bc1a2bc2a5a392819dc50644e0ccfc47d16372d3d2ccec36860d6569b75c6398ca8
Malware Config
Extracted
arkei
homesteadr
http://homesteadr.link/ggate.php
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1000 created 3312 1000 WerFault.exe 54 -
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral2/memory/3312-132-0x0000000000400000-0x00000000005D0000-memory.dmp family_arkei behavioral2/memory/3312-131-0x0000000000780000-0x000000000079C000-memory.dmp family_arkei -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 3443c50a3f82c68489c42f416079135d.exe -
Loads dropped DLL 3 IoCs
pid Process 3312 3443c50a3f82c68489c42f416079135d.exe 3312 3443c50a3f82c68489c42f416079135d.exe 3312 3443c50a3f82c68489c42f416079135d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1852 3312 WerFault.exe 54 -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3443c50a3f82c68489c42f416079135d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3443c50a3f82c68489c42f416079135d.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3592 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1852 WerFault.exe 1852 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1016 MusNotification.exe Token: SeCreatePagefilePrivilege 1016 MusNotification.exe Token: SeRestorePrivilege 1852 WerFault.exe Token: SeBackupPrivilege 1852 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe 60 PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe 60 PID 3312 wrote to memory of 2416 3312 3443c50a3f82c68489c42f416079135d.exe 60 PID 2416 wrote to memory of 3592 2416 cmd.exe 63 PID 2416 wrote to memory of 3592 2416 cmd.exe 63 PID 2416 wrote to memory of 3592 2416 cmd.exe 63 PID 1000 wrote to memory of 3312 1000 WerFault.exe 54 PID 1000 wrote to memory of 3312 1000 WerFault.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe"C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3443c50a3f82c68489c42f416079135d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:3592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 14882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3312 -ip 33121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1000