Overview

overview

10

Static

static

10

askinstall46.exe

windows7_x64

10

askinstall46.exe

windows10_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-06-2021 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    askinstall46.exe

  • Size

    1.4MB

  • MD5

    08e02983bf912205efca8487bb62107f

  • SHA1

    cfe6e8397409dac32ba08eb3d2d281604f6f3629

  • SHA256

    14b59820da7ad7abfb536b1303d7480c459bded64d0444f275a24168f90a4e53

  • SHA512

    f2cedecd3076d39e892dae912914f6b122287c94b36d18b98237bddb7f1e8133baf01ab6f96ffd6c4ffb19ab99632f78613a580760ce352de8a69cafa704d716

Score
10/10
socelarsspywarestealer

Malware Config

Signatures

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\askinstall46.exe
    "C:\Users\Admin\AppData\Local\Temp\askinstall46.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3444-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4080-114-0x0000000000000000-mapping.dmp
    Download