93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

General

Target

WW14.exe
Size

232KB
MD5

5546c1ab6768292b78c746d9ea627f4a
SHA1

be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256

93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512

90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Score

10^/10

evasion spyware stealer suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NiceProcessX64.bmp.exe

pid process

580 NiceProcessX64.bmp.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WW14.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation WW14.exe
Loads dropped DLL 1 IoCs

Processes:

WW14.exe

pid process

328 WW14.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ipinfo.io
15 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

916 328 WerFault.exe WW14.exe

pid	process
580	NiceProcessX64.bmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	WW14.exe

flow	ioc
14	ipinfo.io
15	ipinfo.io

pid	pid_target	process	target process
916	328	WerFault.exe	WW14.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WW14.exeNiceProcessX64.bmp.exe

pid	process
328	WW14.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WW14.exe

description	pid	process	target process
PID 328 wrote to memory of 580	328	WW14.exe	NiceProcessX64.bmp.exe
PID 328 wrote to memory of 580	328	WW14.exe	NiceProcessX64.bmp.exe
PID 328 wrote to memory of 580	328	WW14.exe	NiceProcessX64.bmp.exe
PID 328 wrote to memory of 580	328	WW14.exe	NiceProcessX64.bmp.exe
PID 328 wrote to memory of 916	328	WW14.exe	WerFault.exe
PID 328 wrote to memory of 916	328	WW14.exe	WerFault.exe
PID 328 wrote to memory of 916	328	WW14.exe	WerFault.exe
PID 328 wrote to memory of 916	328	WW14.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\WW14.exe
"C:\Users\Admin\AppData\Local\Temp\WW14.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 1400
2⤵
- Program crash
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/328-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/328-55-0x0000000003D40000-0x0000000003F00000-memory.dmp

Filesize
1.8MB

Download
memory/580-57-0x0000000000000000-mapping.dmp

Download
memory/916-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing