Analysis Overview
SHA256
da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455
Threat Level: Known bad
The file da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455 was found to be: Known bad.
Malicious Activity Summary
Socelars family
Socelars
Socelars Payload
Reads user/profile data of web browsers
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-22 05:58
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-22 05:58
Reported
2021-11-22 06:00
Platform
win10-en-20211104
Max time kernel
82s
Max time network
123s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2336 wrote to memory of 3208 | N/A | C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2336 wrote to memory of 3208 | N/A | C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2336 wrote to memory of 3208 | N/A | C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3208 wrote to memory of 824 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3208 wrote to memory of 824 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3208 wrote to memory of 824 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe
"C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 93.184.220.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 5.9.162.45:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/3208-118-0x0000000000000000-mapping.dmp
memory/824-119-0x0000000000000000-mapping.dmp