Analysis
-
max time kernel
23s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 18:59
Behavioral task
behavioral1
Sample
6a7df355fd563f58a89030abd55512a0.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
General
-
Target
6a7df355fd563f58a89030abd55512a0.exe
-
Size
707KB
-
MD5
6a7df355fd563f58a89030abd55512a0
-
SHA1
b6a1c3fc4f8a072d2063dc5475098ff5806316dd
-
SHA256
33bf4bfeb68050cdfadbbdbda375e74617ea65c12e3e02ef2eb87a83ea305e96
-
SHA512
b824d85fc3ba9ad9ca42d3af31d334bfe62ee0dddb94ab66847e132cd4e0c668c277d39692b643269def2b904bf6ce75d49d4f92cb4466a7a48150a494fd5040
-
SSDEEP
12288:0E1M9Vh3xscEe7b1QfOy6zNM1lPHmVVbvwhlXf5vGLcCu4dS:BM9DQQyD1lPH0V7ulXx0
Malware Config
Extracted
Family
socelars
C2
https://hdbywe.s3.us-west-2.amazonaws.com/sauydga27/
Signatures
-
Socelars payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1628-55-0x0000000000400000-0x000000000059F000-memory.dmp family_socelars -
Processes:
resource yara_rule behavioral1/memory/1628-55-0x0000000000400000-0x000000000059F000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 568 1628 WerFault.exe 6a7df355fd563f58a89030abd55512a0.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
6a7df355fd563f58a89030abd55512a0.exedescription pid process Token: SeCreateTokenPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeAssignPrimaryTokenPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeLockMemoryPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeIncreaseQuotaPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeMachineAccountPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeTcbPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeSecurityPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeTakeOwnershipPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeLoadDriverPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeSystemProfilePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeSystemtimePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeProfSingleProcessPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeIncBasePriorityPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeCreatePagefilePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeCreatePermanentPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeBackupPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeRestorePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeShutdownPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeDebugPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeAuditPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeSystemEnvironmentPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeChangeNotifyPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeRemoteShutdownPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeUndockPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeSyncAgentPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeEnableDelegationPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeManageVolumePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeImpersonatePrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: SeCreateGlobalPrivilege 1628 6a7df355fd563f58a89030abd55512a0.exe Token: 31 1628 6a7df355fd563f58a89030abd55512a0.exe Token: 32 1628 6a7df355fd563f58a89030abd55512a0.exe Token: 33 1628 6a7df355fd563f58a89030abd55512a0.exe Token: 34 1628 6a7df355fd563f58a89030abd55512a0.exe Token: 35 1628 6a7df355fd563f58a89030abd55512a0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6a7df355fd563f58a89030abd55512a0.exedescription pid process target process PID 1628 wrote to memory of 568 1628 6a7df355fd563f58a89030abd55512a0.exe WerFault.exe PID 1628 wrote to memory of 568 1628 6a7df355fd563f58a89030abd55512a0.exe WerFault.exe PID 1628 wrote to memory of 568 1628 6a7df355fd563f58a89030abd55512a0.exe WerFault.exe PID 1628 wrote to memory of 568 1628 6a7df355fd563f58a89030abd55512a0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7df355fd563f58a89030abd55512a0.exe"C:\Users\Admin\AppData\Local\Temp\6a7df355fd563f58a89030abd55512a0.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 6442⤵
- Program crash