Loading ...

Play interactive tourEdit tour

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Sample Name:duLT5gkRjy.exe
Analysis ID:528744
MD5:d42456f7afc812628a9ff67d8c9340eb
SHA1:30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
Tags:exeSocelars
Infos:

Most interesting Screenshot:

Detection

Socelars
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Socelars
Multi AV Scanner detection for domain / URL
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Enables driver privileges
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

  • System is w10x64
  • duLT5gkRjy.exe (PID: 5068 cmdline: "C:\Users\user\Desktop\duLT5gkRjy.exe" MD5: D42456F7AFC812628A9FF67D8C9340EB)
    • WerFault.exe (PID: 4060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
duLT5gkRjy.exeJoeSecurity_SocelarsYara detected SocelarsJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
      00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
        00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
          00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
            Process Memory Space: duLT5gkRjy.exe PID: 5068JoeSecurity_SocelarsYara detected SocelarsJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.duLT5gkRjy.exe.1350000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                1.0.duLT5gkRjy.exe.1350000.2.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                  1.0.duLT5gkRjy.exe.1350000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                    1.0.duLT5gkRjy.exe.1350000.1.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: duLT5gkRjy.exeMalware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: duLT5gkRjy.exeVirustotal: Detection: 62%Perma Link
                      Source: duLT5gkRjy.exeReversingLabs: Detection: 59%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: www.listincode.comVirustotal: Detection: 9%Perma Link
                      Source: duLT5gkRjy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2
                      Source: duLT5gkRjy.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeDNS query: name: iplogger.org
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://ngdatas.pw/
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Joe Sandbox ViewIP Address: 149.28.253.196 149.28.253.196
                      Source: Joe Sandbox ViewIP Address: 5.9.162.45 5.9.162.45
                      Source: Joe Sandbox ViewIP Address: 5.9.162.45 5.9.162.45
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: duLT5gkRjy.exeString found in binary or memory: http://ngdatas.pw/
                      Source: duLT5gkRjy.exeString found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
                      Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.ecgbg.com
                      Source: duLT5gkRjy.exeString found in binary or memory: http://www.ecgbg.com/Home/Index/getdata
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/143up7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14Jup7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14Qju7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/14ePy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/169Bx7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/16ajh7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/16xjh7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1746b7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1756b7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/19iM77
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1BBCf7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1CDGu7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1CUGu7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Cr3a7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1DE477
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1G7Sc7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GWfv7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GaLz7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gbzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gczj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Ghzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1GiLz7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Gjzj7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1H3Fa7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1KyTy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1O2BH
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OXFG
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OZVH
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1OhAG
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Pdet7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1RWXp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1SWks7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Smzs7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Sxzs7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1T79i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1T89i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TBch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TCch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TW3i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1TXch7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Tkij7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1UKG97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1UpU57
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Uts87
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1X8M97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XJq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XKq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1XSq97
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1Z7qd7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1aaVp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1b4887
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1bV787
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1fHtp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1lcZz
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1mxKf7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1pdxr7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1q6Jt7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rDMq7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rd8N6
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1rqRg7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1s4qp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1s5qp7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1spuy7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1uS4i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1uW6i7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1wnqn7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1x5bg7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://iplogger.org/1yXwr7
                      Source: duLT5gkRjy.exeString found in binary or memory: https://prntscr.com/upload.php
                      Source: duLT5gkRjy.exeString found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
                      Source: duLT5gkRjy.exeString found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.amazon.com/
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.aol.com
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.google.com
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.google.com/search?q=admob&oq=admob
                      Source: duLT5gkRjy.exeString found in binary or memory: https://www.listincode.com/
                      Source: unknownDNS traffic detected: queries for: www.listincode.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2
                      Source: duLT5gkRjy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0144095E1_2_0144095E
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_013665C01_2_013665C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0135A4601_2_0135A460
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_014428C01_2_014428C0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_013650B01_2_013650B0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0135CB601_2_0135CB60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_01361B401_2_01361B40
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_013623A01_2_013623A0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_013523801_2_01352380
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0135B3F01_2_0135B3F0
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_01357A301_2_01357A30
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_01358E601_2_01358E60
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: String function: 01357720 appears 47 times
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: Load DriverJump to behavior
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: duLT5gkRjy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: SecurityJump to behavior
                      Source: duLT5gkRjy.exeVirustotal: Detection: 62%
                      Source: duLT5gkRjy.exeReversingLabs: Detection: 59%
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe"
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7933.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.winEXE@2/6@2/2
                      Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpBinary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
                      Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5068
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeMutant created: \Sessions\1\BaseNamedObjects\patatoes
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: duLT5gkRjy.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: duLT5gkRjy.exeStatic file information: File size 1552896 > 1048576
                      Source: duLT5gkRjy.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x112400
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: duLT5gkRjy.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: duLT5gkRjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: duLT5gkRjy.exeStatic PE information: section name: .ogtrfyj
                      Source: duLT5gkRjy.exeStatic PE information: section name: .ogtrfyj
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: Amcache.hve.3.drBinary or memory string: VMware
                      Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.3.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
                      Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0143B8A6
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_014524F8 mov eax, dword ptr fs:[00000030h]1_2_014524F8
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_014483D7 mov eax, dword ptr fs:[00000030h]1_2_014483D7
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0143B8A6
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_01434F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01434F72
                      Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_01436304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_01436304
                      Source: C:\Users\user\Desktop\duLT5gkRjy.exeCode function: 1_2_014529E0 _free,_free,_free,GetTimeZoneInformation,_free,1_2_014529E0
                      Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected SocelarsShow sources
                      Source: Yara matchFile source: duLT5gkRjy.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.duLT5gkRjy.exe.1350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.duLT5gkRjy.exe.1350000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: duLT5gkRjy.exe PID: 5068, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationLSASS Driver1Process Injection2Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsLSASS Driver1Process Injection2LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet