Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Sample Name: duLT5gkRjy.exe
Analysis ID: 528744
MD5: d42456f7afc812628a9ff67d8c9340eb
SHA1: 30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256: a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
Tags: exeSocelars
Infos:

Most interesting Screenshot:

Detection

Socelars
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Socelars
Multi AV Scanner detection for domain / URL
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Enables driver privileges
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection:

barindex
Found malware configuration
Source: duLT5gkRjy.exe Malware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}
Multi AV Scanner detection for submitted file
Source: duLT5gkRjy.exe Virustotal: Detection: 62% Perma Link
Source: duLT5gkRjy.exe ReversingLabs: Detection: 59%
Multi AV Scanner detection for domain / URL
Source: www.listincode.com Virustotal: Detection: 9% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: duLT5gkRjy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: duLT5gkRjy.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\duLT5gkRjy.exe DNS query: name: iplogger.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ngdatas.pw/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.28.253.196 149.28.253.196
Source: Joe Sandbox View IP Address: 5.9.162.45 5.9.162.45
Source: Joe Sandbox View IP Address: 5.9.162.45 5.9.162.45
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: duLT5gkRjy.exe String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: duLT5gkRjy.exe String found in binary or memory: http://ngdatas.pw/
Source: duLT5gkRjy.exe String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: duLT5gkRjy.exe String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: duLT5gkRjy.exe String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: duLT5gkRjy.exe String found in binary or memory: http://www.ecgbg.com
Source: duLT5gkRjy.exe String found in binary or memory: http://www.ecgbg.com/Home/Index/getdata
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/143up7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/14Jup7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/14Qju7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/14ePy7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/169Bx7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/16ajh7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/16xjh7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1746b7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1756b7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/19iM77
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1BBCf7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1CDGu7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1CUGu7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Cr3a7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1DE477
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1G7Sc7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1GWfv7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1GaLz7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Gbzj7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Gczj7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Ghzj7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1GiLz7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Gjzj7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1H3Fa7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1KyTy7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1O2BH
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1OXFG
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1OZVH
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1OhAG
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Pdet7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1RWXp7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1SWks7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Smzs7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Sxzs7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1T79i7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1T89i7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1TBch7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1TCch7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1TW3i7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1TXch7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Tkij7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1UKG97
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1UpU57
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Uts87
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1X8M97
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1XJq97
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1XKq97
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1XSq97
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1Z7qd7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1aaVp7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1b4887
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1bV787
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1fHtp7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1lcZz
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1mxKf7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1pdxr7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1q6Jt7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1rDMq7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1rd8N6
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1rqRg7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1s4qp7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1s5qp7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1spuy7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1uS4i7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1uW6i7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1wnqn7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1x5bg7
Source: duLT5gkRjy.exe String found in binary or memory: https://iplogger.org/1yXwr7
Source: duLT5gkRjy.exe String found in binary or memory: https://prntscr.com/upload.php
Source: duLT5gkRjy.exe String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
Source: duLT5gkRjy.exe String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: duLT5gkRjy.exe String found in binary or memory: https://www.amazon.com/
Source: duLT5gkRjy.exe String found in binary or memory: https://www.aol.com
Source: duLT5gkRjy.exe String found in binary or memory: https://www.google.com
Source: duLT5gkRjy.exe String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: duLT5gkRjy.exe String found in binary or memory: https://www.listincode.com/
Source: unknown DNS traffic detected: queries for: www.listincode.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2

System Summary:

barindex
Uses 32bit PE files
Source: duLT5gkRjy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
One or more processes crash
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932
Detected potential crypto function
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0144095E 1_2_0144095E
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_013665C0 1_2_013665C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0135A460 1_2_0135A460
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_014428C0 1_2_014428C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_013650B0 1_2_013650B0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0135CB60 1_2_0135CB60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01361B40 1_2_01361B40
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_013623A0 1_2_013623A0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01352380 1_2_01352380
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0135B3F0 1_2_0135B3F0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01357A30 1_2_01357A30
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01358E60 1_2_01358E60
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: String function: 01357720 appears 47 times
PE file contains executable resources (Code or Archives)
Source: duLT5gkRjy.exe Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract
Enables driver privileges
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process token adjusted: Load Driver Jump to behavior
PE file contains strange resources
Source: duLT5gkRjy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Enables security privileges
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process token adjusted: Security Jump to behavior
Source: duLT5gkRjy.exe Virustotal: Detection: 62%
Source: duLT5gkRjy.exe ReversingLabs: Detection: 59%
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe"
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7933.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.winEXE@2/6@2/2
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5068
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Mutant created: \Sessions\1\BaseNamedObjects\patatoes
Source: C:\Users\user\Desktop\duLT5gkRjy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: duLT5gkRjy.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: duLT5gkRjy.exe Static file information: File size 1552896 > 1048576
Source: duLT5gkRjy.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x112400
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: duLT5gkRjy.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: duLT5gkRjy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: duLT5gkRjy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: duLT5gkRjy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: duLT5gkRjy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: duLT5gkRjy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: duLT5gkRjy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: duLT5gkRjy.exe Static PE information: section name: .ogtrfyj
Source: duLT5gkRjy.exe Static PE information: section name: .ogtrfyj

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0143B8A6
Enables debug privileges
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_014524F8 mov eax, dword ptr fs:[00000030h] 1_2_014524F8
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_014483D7 mov eax, dword ptr fs:[00000030h] 1_2_014483D7
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0143B8A6
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01434F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_01434F72
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_01436304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_01436304
Source: C:\Users\user\Desktop\duLT5gkRjy.exe Code function: 1_2_014529E0 _free,_free,_free,GetTimeZoneInformation,_free, 1_2_014529E0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Socelars
Source: Yara match File source: duLT5gkRjy.exe, type: SAMPLE
Source: Yara match File source: 1.2.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.duLT5gkRjy.exe.1350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.duLT5gkRjy.exe.1350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: duLT5gkRjy.exe PID: 5068, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs