socelars | 4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f

General

Target

a26b1a5af7e93bbda77b5f1639815d77.exe
Size

1.4MB
MD5

a26b1a5af7e93bbda77b5f1639815d77
SHA1

38773c74da5bcf9cf59ac849507d5491ac13f838
SHA256

4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f
SHA512

68a484b2818dc99be4a32e6bc0fda3f98e9220bea1eb83d935b5a7010d15f6f942e4268117b7d085ee32c590c96bb105051199e0c5e621f449aba34d4ea95d01

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1216 taskkill.exe

pid	process
1216	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a26b1a5af7e93bbda77b5f1639815d77.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a26b1a5af7e93bbda77b5f1639815d77.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a26b1a5af7e93bbda77b5f1639815d77.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a26b1a5af7e93bbda77b5f1639815d77.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

a26b1a5af7e93bbda77b5f1639815d77.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeAssignPrimaryTokenPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeLockMemoryPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeIncreaseQuotaPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeMachineAccountPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeTcbPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSecurityPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeTakeOwnershipPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeLoadDriverPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemProfilePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemtimePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeProfSingleProcessPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeIncBasePriorityPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreatePagefilePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreatePermanentPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeBackupPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeRestorePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeShutdownPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeDebugPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeAuditPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemEnvironmentPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeChangeNotifyPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeRemoteShutdownPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeUndockPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSyncAgentPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeEnableDelegationPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeManageVolumePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeImpersonatePrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreateGlobalPrivilege	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 31	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 32	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 33	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 34	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 35	1684	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeDebugPrivilege	1216	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a26b1a5af7e93bbda77b5f1639815d77.execmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 1008	1684	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 1684 wrote to memory of 1008	1684	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 1684 wrote to memory of 1008	1684	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 1684 wrote to memory of 1008	1684	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 1008 wrote to memory of 1216	1008	cmd.exe	taskkill.exe
PID 1008 wrote to memory of 1216	1008	cmd.exe	taskkill.exe
PID 1008 wrote to memory of 1216	1008	cmd.exe	taskkill.exe
PID 1008 wrote to memory of 1216	1008	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\a26b1a5af7e93bbda77b5f1639815d77.exe
"C:\Users\Admin\AppData\Local\Temp\a26b1a5af7e93bbda77b5f1639815d77.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-3-0x0000000000000000-mapping.dmp

Download
memory/1056-5-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download
memory/1216-4-0x0000000000000000-mapping.dmp

Download
memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads