socelars | 88d9141e63c5e2d05294b43d85ffc2604c3eda3b2cac69149743e3990b547212

General

Target

Install.exe
Size

1.4MB
MD5

87b6aa9999f339367e81cece5164cc61
SHA1

0f0cc9bae58961ceec44d77c09f7670b6e6dcd32
SHA256

88d9141e63c5e2d05294b43d85ffc2604c3eda3b2cac69149743e3990b547212
SHA512

f776a2f99d1446d010afa38a41d8401064329efa76b95c5f5150e7dc695105a834b286e71df6d349a9164936b4e57def370882e71f076ff1be310580b91b66a9

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3188 taskkill.exe

pid	process
3188	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Install.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Install.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	4804	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4804	Install.exe
Token: SeLockMemoryPrivilege	4804	Install.exe
Token: SeIncreaseQuotaPrivilege	4804	Install.exe
Token: SeMachineAccountPrivilege	4804	Install.exe
Token: SeTcbPrivilege	4804	Install.exe
Token: SeSecurityPrivilege	4804	Install.exe
Token: SeTakeOwnershipPrivilege	4804	Install.exe
Token: SeLoadDriverPrivilege	4804	Install.exe
Token: SeSystemProfilePrivilege	4804	Install.exe
Token: SeSystemtimePrivilege	4804	Install.exe
Token: SeProfSingleProcessPrivilege	4804	Install.exe
Token: SeIncBasePriorityPrivilege	4804	Install.exe
Token: SeCreatePagefilePrivilege	4804	Install.exe
Token: SeCreatePermanentPrivilege	4804	Install.exe
Token: SeBackupPrivilege	4804	Install.exe
Token: SeRestorePrivilege	4804	Install.exe
Token: SeShutdownPrivilege	4804	Install.exe
Token: SeDebugPrivilege	4804	Install.exe
Token: SeAuditPrivilege	4804	Install.exe
Token: SeSystemEnvironmentPrivilege	4804	Install.exe
Token: SeChangeNotifyPrivilege	4804	Install.exe
Token: SeRemoteShutdownPrivilege	4804	Install.exe
Token: SeUndockPrivilege	4804	Install.exe
Token: SeSyncAgentPrivilege	4804	Install.exe
Token: SeEnableDelegationPrivilege	4804	Install.exe
Token: SeManageVolumePrivilege	4804	Install.exe
Token: SeImpersonatePrivilege	4804	Install.exe
Token: SeCreateGlobalPrivilege	4804	Install.exe
Token: 31	4804	Install.exe
Token: 32	4804	Install.exe
Token: 33	4804	Install.exe
Token: 34	4804	Install.exe
Token: 35	4804	Install.exe
Token: SeDebugPrivilege	3188	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Install.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 4184	4804	Install.exe	cmd.exe
PID 4804 wrote to memory of 4184	4804	Install.exe	cmd.exe
PID 4804 wrote to memory of 4184	4804	Install.exe	cmd.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	taskkill.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	taskkill.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3188