Analysis Overview
SHA256
0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3
Threat Level: Known bad
The file 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE GCleaner Downloader Activity M5
Socelars family
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Executes dropped EXE
Reads user/profile data of web browsers
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-20 08:01
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-20 08:01
Reported
2021-11-20 08:04
Platform
win10-en-20211104
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2744 created 376 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe |
suricata: ET MALWARE GCleaner Downloader Activity M5
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe
"C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1248
Network
| Country | Destination | Domain | Proto |
| MY | 111.90.158.95:80 | 111.90.158.95 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | postbackstat.biz | udp |
| DE | 194.87.138.114:80 | postbackstat.biz | tcp |
Files
memory/3344-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe
| MD5 | a1d00143873b96218372c6ae79090475 |
| SHA1 | 7076057730486912f44bc99374c4a5b72376e253 |
| SHA256 | 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711 |
| SHA512 | 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe
| MD5 | a1d00143873b96218372c6ae79090475 |
| SHA1 | 7076057730486912f44bc99374c4a5b72376e253 |
| SHA256 | 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711 |
| SHA512 | 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7 |
memory/3344-121-0x0000000000030000-0x0000000000033000-memory.dmp
memory/3344-122-0x0000000003F30000-0x0000000003F40000-memory.dmp
memory/3344-128-0x00000000040D0000-0x00000000040E0000-memory.dmp
memory/3344-134-0x0000000005270000-0x0000000005278000-memory.dmp
memory/3344-135-0x0000000005510000-0x0000000005518000-memory.dmp
memory/3344-151-0x0000000004E70000-0x0000000004E78000-memory.dmp
memory/3344-158-0x0000000004F30000-0x0000000004F38000-memory.dmp
memory/3344-159-0x0000000004F30000-0x0000000004F38000-memory.dmp
memory/3344-160-0x0000000004F30000-0x0000000004F38000-memory.dmp
memory/376-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
| MD5 | 12b7c9704aa57489507a76980c7e8383 |
| SHA1 | cfed4dae8f721e4809399d8fb11cf8b5ed94b30c |
| SHA256 | 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b |
| SHA512 | 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
| MD5 | 12b7c9704aa57489507a76980c7e8383 |
| SHA1 | cfed4dae8f721e4809399d8fb11cf8b5ed94b30c |
| SHA256 | 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b |
| SHA512 | 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a |
memory/376-164-0x0000000002E27000-0x0000000002E4F000-memory.dmp
memory/376-165-0x0000000002B60000-0x0000000002CAA000-memory.dmp
memory/376-166-0x0000000000400000-0x0000000002B57000-memory.dmp