Analysis Overview
SHA256
10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64
Threat Level: Known bad
The file 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64 was found to be: Known bad.
Malicious Activity Summary
Socelars family
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Executes dropped EXE
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-20 07:56
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-20 07:56
Reported
2021-11-20 07:59
Platform
win10-en-20211104
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1020 created 4380 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe
"C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1224
Network
| Country | Destination | Domain | Proto |
| MY | 111.90.158.95:80 | 111.90.158.95 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | postbackstat.biz | udp |
| DE | 194.87.138.114:80 | postbackstat.biz | tcp |
Files
memory/3908-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe
| MD5 | a1d00143873b96218372c6ae79090475 |
| SHA1 | 7076057730486912f44bc99374c4a5b72376e253 |
| SHA256 | 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711 |
| SHA512 | 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe
| MD5 | a1d00143873b96218372c6ae79090475 |
| SHA1 | 7076057730486912f44bc99374c4a5b72376e253 |
| SHA256 | 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711 |
| SHA512 | 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7 |
memory/3908-121-0x0000000000030000-0x0000000000033000-memory.dmp
memory/3908-122-0x0000000003A70000-0x0000000003A80000-memory.dmp
memory/3908-128-0x0000000003C10000-0x0000000003C20000-memory.dmp
memory/3908-134-0x0000000004DA0000-0x0000000004DA8000-memory.dmp
memory/3908-135-0x0000000005040000-0x0000000005048000-memory.dmp
memory/3908-136-0x0000000005040000-0x0000000005048000-memory.dmp
memory/3908-161-0x00000000049A0000-0x00000000049A8000-memory.dmp
memory/3908-176-0x0000000004BA0000-0x0000000004BA8000-memory.dmp
memory/3908-177-0x0000000004BA0000-0x0000000004BA8000-memory.dmp
memory/4380-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
| MD5 | 12b7c9704aa57489507a76980c7e8383 |
| SHA1 | cfed4dae8f721e4809399d8fb11cf8b5ed94b30c |
| SHA256 | 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b |
| SHA512 | 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
| MD5 | 12b7c9704aa57489507a76980c7e8383 |
| SHA1 | cfed4dae8f721e4809399d8fb11cf8b5ed94b30c |
| SHA256 | 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b |
| SHA512 | 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a |
memory/4380-188-0x0000000000400000-0x0000000002B57000-memory.dmp
memory/4380-187-0x0000000002C40000-0x0000000002D8A000-memory.dmp