Overview
overview
10Static
static
107zS850A099...ed.exe
windows7_x64
107zS850A099...ed.exe
windows10-2004_x64
107zS850A099...1a.exe
windows7_x64
87zS850A099...1a.exe
windows10-2004_x64
87zS850A099...b7.exe
windows7_x64
107zS850A099...b7.exe
windows10-2004_x64
107zS850A099...5e.exe
windows7_x64
107zS850A099...5e.exe
windows10-2004_x64
17zS850A099...a0.exe
windows7_x64
107zS850A099...a0.exe
windows10-2004_x64
107zS850A099...95.exe
windows7_x64
77zS850A099...95.exe
windows10-2004_x64
77zS850A099...cb.exe
windows7_x64
107zS850A099...cb.exe
windows10-2004_x64
17zS850A099...58.exe
windows7_x64
107zS850A099...58.exe
windows10-2004_x64
107zS850A099...7f.exe
windows7_x64
107zS850A099...7f.exe
windows10-2004_x64
107zS850A099...32.exe
windows7_x64
107zS850A099...32.exe
windows10-2004_x64
107zS850A099...c3.exe
windows7_x64
87zS850A099...c3.exe
windows10-2004_x64
107zS850A099...e9.exe
windows7_x64
67zS850A099...e9.exe
windows10-2004_x64
17zS850A099...8c.exe
windows7_x64
107zS850A099...8c.exe
windows10-2004_x64
17zS850A099...8c.exe
windows7_x64
77zS850A099...8c.exe
windows10-2004_x64
87zS850A099...ll.exe
windows7_x64
107zS850A099...ll.exe
windows10-2004_x64
10Analysis
-
max time kernel
138s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 18:11
Behavioral task
behavioral1
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral5
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral13
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral15
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral17
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral19
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral21
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral23
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral25
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral27
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral29
Sample
7zS850A099E/setup_install.exe
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
7zS850A099E/setup_install.exe
Resource
win10v2004-en-20220112
General
-
Target
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
-
Size
1.6MB
-
MD5
79400b1fd740d9cb7ec7c2c2e9a7d618
-
SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
-
SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
-
SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 760 created 2628 760 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe -
Executes dropped EXE 1 IoCs
Processes:
11111.exepid process 2076 11111.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11111.exe upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3752 2628 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
11111.exeWerFault.exepid process 2076 11111.exe 2076 11111.exe 2076 11111.exe 2076 11111.exe 3752 WerFault.exe 3752 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
61e7501db65f3_Tue23c7b395c3.exeWerFault.exedescription pid process target process PID 2628 wrote to memory of 2076 2628 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2628 wrote to memory of 2076 2628 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2628 wrote to memory of 2076 2628 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 760 wrote to memory of 2628 760 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe PID 760 wrote to memory of 2628 760 WerFault.exe 61e7501db65f3_Tue23c7b395c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2628 -s 9162⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 2628 -ip 26281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
d0527733abcc5c58735e11d43061b431
SHA128de9d191826192721e325787b8a50a84328cffd
SHA256b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA5127704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
d0527733abcc5c58735e11d43061b431
SHA128de9d191826192721e325787b8a50a84328cffd
SHA256b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA5127704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
93784f6d96c9c9104e21658c932c7161
SHA15f7903790dde06c449025f589d5072935163bc5d
SHA256760df0359f0847383e2910cc7081740b3ac9b392ab745d65287672a661db0d38
SHA51246e964678beac0d9ee43a982c11a504a6b636a8cf4460d18033bf4a87b98282530da12809aa37121197488edfdb6fac0f9f86afac301eba71d5bf84570bc649b