93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-05-2022 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WW14.exe
Size

232KB
MD5

5546c1ab6768292b78c746d9ea627f4a
SHA1

be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256

93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512

90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Score

10^/10

evasion spyware stealer suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
580	NiceProcessX64.bmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	WW14.exe

Loads dropped DLL 1 IoCs

pid	Process
328	WW14.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ipinfo.io
15	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	328	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	WW14.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe
580	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 580	328	WW14.exe	29
PID 328 wrote to memory of 580	328	WW14.exe	29
PID 328 wrote to memory of 580	328	WW14.exe	29
PID 328 wrote to memory of 580	328	WW14.exe	29
PID 328 wrote to memory of 916	328	WW14.exe	30
PID 328 wrote to memory of 916	328	WW14.exe	30
PID 328 wrote to memory of 916	328	WW14.exe	30
PID 328 wrote to memory of 916	328	WW14.exe	30

C:\Users\Admin\AppData\Local\Temp\WW14.exe
"C:\Users\Admin\AppData\Local\Temp\WW14.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 1400
  2⤵
  - Program crash
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/328-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/328-55-0x0000000003D40000-0x0000000003F00000-memory.dmp

Filesize
1.8MB

Download