Overview
overview
10Static
static
106c5db6dce1...3e.exe
windows7-x64
106c5db6dce1...3e.exe
windows10-2004-x64
10DusBrowserInst.exe
windows7-x64
6DusBrowserInst.exe
windows10-2004-x64
6IDWCH2.exe
windows7-x64
7IDWCH2.exe
windows10-2004-x64
7Litever01.exe
windows7-x64
10Litever01.exe
windows10-2004-x64
10NAN.exe
windows7-x64
10NAN.exe
windows10-2004-x64
10anyname.exe
windows7-x64
3anyname.exe
windows10-2004-x64
3app.exe
windows7-x64
10app.exe
windows10-2004-x64
10askinstall50.exe
windows7-x64
10askinstall50.exe
windows10-2004-x64
10farlab_setup.exe
windows7-x64
7farlab_setup.exe
windows10-2004-x64
7inst002.exe
windows7-x64
10inst002.exe
windows10-2004-x64
10jamesnew.exe
windows7-x64
3jamesnew.exe
windows10-2004-x64
3justdezine.exe
windows7-x64
10justdezine.exe
windows10-2004-x64
10md3_3kvm.exe
windows7-x64
10md3_3kvm.exe
windows10-2004-x64
10mixseven.exe
windows7-x64
10mixseven.exe
windows10-2004-x64
10redcloud.exe
windows7-x64
10redcloud.exe
windows10-2004-x64
10udptest.exe
windows7-x64
10udptest.exe
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 01:40
Behavioral task
behavioral1
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
DusBrowserInst.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
DusBrowserInst.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
IDWCH2.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
IDWCH2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Litever01.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Litever01.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
NAN.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
NAN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
anyname.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
anyname.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
app.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral14
Sample
app.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
askinstall50.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
askinstall50.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
farlab_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
farlab_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
inst002.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
inst002.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
jamesnew.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
jamesnew.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
justdezine.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral24
Sample
justdezine.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
md3_3kvm.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
md3_3kvm.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
mixseven.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
mixseven.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
redcloud.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
redcloud.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
udptest.exe
Resource
win7-20240903-en
windows7-x64
General
-
Target
askinstall50.exe
-
Size
1.4MB
-
MD5
68bc0c244bb2d261a9a7d007bb6e06d7
-
SHA1
4226d51ebf9d925de953e0a5a6b3784eabfc47b6
-
SHA256
fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4
-
SHA512
f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da
-
SSDEEP
24576:8IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQtYfeXPPSTy:NFA1pvTMbOwa0TmUyMYEh1oCSPnQtY2/
Malware Config
Signatures
-
Socelars family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 iplogger.org 8 iplogger.org -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language askinstall50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 2820 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 340 askinstall50.exe Token: SeAssignPrimaryTokenPrivilege 340 askinstall50.exe Token: SeLockMemoryPrivilege 340 askinstall50.exe Token: SeIncreaseQuotaPrivilege 340 askinstall50.exe Token: SeMachineAccountPrivilege 340 askinstall50.exe Token: SeTcbPrivilege 340 askinstall50.exe Token: SeSecurityPrivilege 340 askinstall50.exe Token: SeTakeOwnershipPrivilege 340 askinstall50.exe Token: SeLoadDriverPrivilege 340 askinstall50.exe Token: SeSystemProfilePrivilege 340 askinstall50.exe Token: SeSystemtimePrivilege 340 askinstall50.exe Token: SeProfSingleProcessPrivilege 340 askinstall50.exe Token: SeIncBasePriorityPrivilege 340 askinstall50.exe Token: SeCreatePagefilePrivilege 340 askinstall50.exe Token: SeCreatePermanentPrivilege 340 askinstall50.exe Token: SeBackupPrivilege 340 askinstall50.exe Token: SeRestorePrivilege 340 askinstall50.exe Token: SeShutdownPrivilege 340 askinstall50.exe Token: SeDebugPrivilege 340 askinstall50.exe Token: SeAuditPrivilege 340 askinstall50.exe Token: SeSystemEnvironmentPrivilege 340 askinstall50.exe Token: SeChangeNotifyPrivilege 340 askinstall50.exe Token: SeRemoteShutdownPrivilege 340 askinstall50.exe Token: SeUndockPrivilege 340 askinstall50.exe Token: SeSyncAgentPrivilege 340 askinstall50.exe Token: SeEnableDelegationPrivilege 340 askinstall50.exe Token: SeManageVolumePrivilege 340 askinstall50.exe Token: SeImpersonatePrivilege 340 askinstall50.exe Token: SeCreateGlobalPrivilege 340 askinstall50.exe Token: 31 340 askinstall50.exe Token: 32 340 askinstall50.exe Token: 33 340 askinstall50.exe Token: 34 340 askinstall50.exe Token: 35 340 askinstall50.exe Token: SeDebugPrivilege 2820 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 340 wrote to memory of 1096 340 askinstall50.exe 32 PID 340 wrote to memory of 1096 340 askinstall50.exe 32 PID 340 wrote to memory of 1096 340 askinstall50.exe 32 PID 340 wrote to memory of 1096 340 askinstall50.exe 32 PID 1096 wrote to memory of 2820 1096 cmd.exe 34 PID 1096 wrote to memory of 2820 1096 cmd.exe 34 PID 1096 wrote to memory of 2820 1096 cmd.exe 34 PID 1096 wrote to memory of 2820 1096 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-