Analysis
-
max time kernel
172s -
max time network
182s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
Resource
win10-en-20211208
General
-
Target
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
-
Size
9.7MB
-
MD5
6b296de2de00117bf1cbfcff13f51c19
-
SHA1
a1a4259256800752273745cfdfb4204603bd97d5
-
SHA256
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f
-
SHA512
1728b264683a2598eabf692a7707d15559395a2950e4b112ff915b05aa10348daa4d80f2b39bbff530a47fa825fd7fe2cb6e1da901fb0a87fdca489bf8b4cb4f
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2984 rundll32.exe 78 -
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001261b-109.dat family_socelars -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000600000001266d-131.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/files/0x000600000001266d-131.dat Nirsoft behavioral1/memory/2496-240-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1284-223-0x0000000001F60000-0x0000000002035000-memory.dmp family_vidar behavioral1/memory/1284-226-0x0000000000400000-0x000000000053E000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x000700000001226a-70.dat aspack_v212_v242 behavioral1/files/0x000700000001226a-71.dat aspack_v212_v242 behavioral1/files/0x000700000001225c-72.dat aspack_v212_v242 behavioral1/files/0x000700000001225c-73.dat aspack_v212_v242 behavioral1/files/0x0007000000012284-76.dat aspack_v212_v242 behavioral1/files/0x0007000000012284-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 368 setup_installer.exe 1580 setup_install.exe 1284 Wed1585231a10aabd865.exe 1620 Wed15def1e1a6.exe -
Loads dropped DLL 19 IoCs
pid Process 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 368 setup_installer.exe 368 setup_installer.exe 368 setup_installer.exe 368 setup_installer.exe 368 setup_installer.exe 368 setup_installer.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1580 setup_install.exe 1792 cmd.exe 1008 cmd.exe 1792 cmd.exe 1008 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 ipinfo.io 42 ipinfo.io 44 ipinfo.io 15 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2672 1572 WerFault.exe 61 2996 1692 WerFault.exe 50 -
Kills process with taskkill 1 IoCs
pid Process 2460 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 1540 wrote to memory of 368 1540 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 27 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 368 wrote to memory of 1580 368 setup_installer.exe 28 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 2028 1580 setup_install.exe 30 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1920 1580 setup_install.exe 31 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 1580 wrote to memory of 1400 1580 setup_install.exe 32 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 2028 wrote to memory of 848 2028 cmd.exe 33 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1008 1580 setup_install.exe 34 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1060 1580 setup_install.exe 35 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 1792 1580 setup_install.exe 42 PID 1580 wrote to memory of 944 1580 setup_install.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe"C:\Users\Admin\AppData\Local\Temp\5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed153b85888b3614.exe /mixtwo4⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed153b85888b3614.exeWed153b85888b3614.exe /mixtwo5⤵PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1585231a10aabd865.exe4⤵
- Loads dropped DLL
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed1585231a10aabd865.exeWed1585231a10aabd865.exe5⤵
- Executes dropped EXE
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed153b15877dec9.exe4⤵PID:1060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ff85e6fb5cb658.exe4⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15ff85e6fb5cb658.exeWed15ff85e6fb5cb658.exe5⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150944bf7032c623.exe4⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150944bf7032c623.exeWed150944bf7032c623.exe5⤵PID:1692
-
C:\Users\Admin\Pictures\Adobe Films\_6dGki2B4nvoYLCeFJfVO2ln.exe"C:\Users\Admin\Pictures\Adobe Films\_6dGki2B4nvoYLCeFJfVO2ln.exe"6⤵PID:1988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 15086⤵
- Program crash
PID:2996
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1500c7d1d4.exe4⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed1500c7d1d4.exeWed1500c7d1d4.exe5⤵PID:1572
-
C:\Users\Admin\Pictures\Adobe Films\DZ4DKuRj_CZVq0KjwejnSc60.exe"C:\Users\Admin\Pictures\Adobe Films\DZ4DKuRj_CZVq0KjwejnSc60.exe"6⤵PID:1324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 15126⤵
- Program crash
PID:2672
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cf77e3ddc30.exe4⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15cf77e3ddc30.exeWed15cf77e3ddc30.exe5⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2836
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150790bf65e4c8f4.exe4⤵
- Loads dropped DLL
PID:1792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150ca0ddb4.exe4⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150ca0ddb4.exeWed150ca0ddb4.exe5⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150ca0ddb4.exeC:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150ca0ddb4.exe6⤵PID:1044
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e36a85c94ce.exe4⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15e36a85c94ce.exeWed15e36a85c94ce.exe5⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15d8c997dfcb85ac.exe4⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15d8c997dfcb85ac.exeWed15d8c997dfcb85ac.exe5⤵PID:1644
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",6⤵PID:2644
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",7⤵PID:2664
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15f7625124.exe4⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15f7625124.exeWed15f7625124.exe5⤵PID:828
-
C:\Users\Admin\AppData\Local\40859f63-9a67-41f4-bf1c-3361e1211621.exe"C:\Users\Admin\AppData\Local\40859f63-9a67-41f4-bf1c-3361e1211621.exe"6⤵PID:280
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed156dcbb535.exe4⤵PID:1200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15581b4e451c4f72.exe4⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15581b4e451c4f72.exeWed15581b4e451c4f72.exe5⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15581b4e451c4f72.exeC:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15581b4e451c4f72.exe6⤵PID:2972
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15def1e1a6.exe4⤵PID:580
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15def1e1a6.exeWed15def1e1a6.exe5⤵
- Executes dropped EXE
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150790bf65e4c8f4.exe"C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150790bf65e4c8f4.exe" -u6⤵PID:824
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",6⤵PID:2436
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",7⤵PID:2516
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15f5f024996c4fec.exe4⤵PID:536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed150790bf65e4c8f4.exeWed150790bf65e4c8f4.exe1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed153b85888b3614.exeWed153b85888b3614.exe /mixtwo1⤵PID:776
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed153b85888b3614.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed153b85888b3614.exe" & exit2⤵PID:2364
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed153b85888b3614.exe" /f3⤵
- Kills process with taskkill
PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS071DD2C6\Wed15f5f024996c4fec.exeWed15f5f024996c4fec.exe1⤵PID:1144
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1544
-