Analysis Overview
SHA256
0466b839b04f09bff7cee333e33e8a22eed68e8d95997ad6da17ae19e1d8293b
Threat Level: Known bad
The file 75f13bcd18948ed9318396cadf3b3442.exe was found to be: Known bad.
Malicious Activity Summary
Socelars
Socelars Payload
Socelars family
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-20 17:41
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-20 17:41
Reported
2021-11-20 17:43
Platform
win7-en-20211104
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1072 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1072 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1072 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1072 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 380 wrote to memory of 392 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 380 wrote to memory of 392 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 380 wrote to memory of 392 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 380 wrote to memory of 392 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe
"C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
Files
memory/1072-55-0x0000000075881000-0x0000000075883000-memory.dmp
memory/380-56-0x0000000000000000-mapping.dmp
memory/392-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-20 17:41
Reported
2021-11-20 17:43
Platform
win10-en-20211014
Max time kernel
107s
Max time network
122s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2472 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2472 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2472 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2292 wrote to memory of 1184 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2292 wrote to memory of 1184 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2292 wrote to memory of 1184 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe
"C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/2292-115-0x0000000000000000-mapping.dmp
memory/1184-116-0x0000000000000000-mapping.dmp