socelars | 4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f

General

Target

a26b1a5af7e93bbda77b5f1639815d77.exe
Size

1.4MB
MD5

a26b1a5af7e93bbda77b5f1639815d77
SHA1

38773c74da5bcf9cf59ac849507d5491ac13f838
SHA256

4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f
SHA512

68a484b2818dc99be4a32e6bc0fda3f98e9220bea1eb83d935b5a7010d15f6f942e4268117b7d085ee32c590c96bb105051199e0c5e621f449aba34d4ea95d01

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3580 taskkill.exe

pid	process
3580	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a26b1a5af7e93bbda77b5f1639815d77.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a26b1a5af7e93bbda77b5f1639815d77.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a26b1a5af7e93bbda77b5f1639815d77.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

a26b1a5af7e93bbda77b5f1639815d77.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeAssignPrimaryTokenPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeLockMemoryPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeIncreaseQuotaPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeMachineAccountPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeTcbPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSecurityPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeTakeOwnershipPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeLoadDriverPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemProfilePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemtimePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeProfSingleProcessPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeIncBasePriorityPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreatePagefilePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreatePermanentPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeBackupPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeRestorePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeShutdownPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeDebugPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeAuditPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSystemEnvironmentPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeChangeNotifyPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeRemoteShutdownPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeUndockPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeSyncAgentPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeEnableDelegationPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeManageVolumePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeImpersonatePrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeCreateGlobalPrivilege	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 31	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 32	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 33	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 34	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: 35	576	a26b1a5af7e93bbda77b5f1639815d77.exe
Token: SeDebugPrivilege	3580	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a26b1a5af7e93bbda77b5f1639815d77.execmd.exe

description	pid	process	target process
PID 576 wrote to memory of 3608	576	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 576 wrote to memory of 3608	576	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 576 wrote to memory of 3608	576	a26b1a5af7e93bbda77b5f1639815d77.exe	cmd.exe
PID 3608 wrote to memory of 3580	3608	cmd.exe	taskkill.exe
PID 3608 wrote to memory of 3580	3608	cmd.exe	taskkill.exe
PID 3608 wrote to memory of 3580	3608	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\a26b1a5af7e93bbda77b5f1639815d77.exe
"C:\Users\Admin\AppData\Local\Temp\a26b1a5af7e93bbda77b5f1639815d77.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3580