Analysis Overview
SHA256
96da16f1b813f61ded62562735c22429b4a38ab5f42281afe16ae87e92abbf1b
Threat Level: Known bad
The file 6ed15ba1793b318e075928be2009a1f1.exe was found to be: Known bad.
Malicious Activity Summary
Socelars Payload
Socelars family
Socelars
Reads user/profile data of web browsers
Looks up geolocation information via web service
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-21 15:55
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-21 15:55
Reported
2021-11-21 15:57
Platform
win10-en-20211014
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2732 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2732 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2256 wrote to memory of 552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2256 wrote to memory of 552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2256 wrote to memory of 552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
Files
memory/2256-115-0x0000000000000000-mapping.dmp
memory/552-116-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-21 15:55
Reported
2021-11-21 15:57
Platform
win7-en-20211104
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 756 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 756 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 756 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 756 wrote to memory of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 724 wrote to memory of 1180 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 724 wrote to memory of 1180 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 724 wrote to memory of 1180 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 724 wrote to memory of 1180 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\6ed15ba1793b318e075928be2009a1f1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
Files
memory/756-55-0x00000000753E1000-0x00000000753E3000-memory.dmp
memory/724-56-0x0000000000000000-mapping.dmp
memory/1180-57-0x0000000000000000-mapping.dmp