f063a5ece410738e966ca8f7d3b3a495.exe

General
Target

f063a5ece410738e966ca8f7d3b3a495.exe

Filesize

1MB

Completed

25-11-2021 16:52

Score
10/10
MD5

f063a5ece410738e966ca8f7d3b3a495

SHA1

ec19108520ac2ebeb27b231e7053bd0b710c90d2

SHA256

17486a31039fa56636c672dba5f9ab12178f888839f41137416b4f85f2affdcb

Malware Config
Signatures 8

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    4056taskkill.exe
  • Suspicious use of AdjustPrivilegeToken
    f063a5ece410738e966ca8f7d3b3a495.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeCreateTokenPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeAssignPrimaryTokenPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeLockMemoryPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeIncreaseQuotaPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeMachineAccountPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeTcbPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeSecurityPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeTakeOwnershipPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeLoadDriverPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeSystemProfilePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeSystemtimePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeProfSingleProcessPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeIncBasePriorityPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeCreatePagefilePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeCreatePermanentPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeBackupPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeRestorePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeShutdownPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeDebugPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeAuditPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeSystemEnvironmentPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeChangeNotifyPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeRemoteShutdownPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeUndockPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeSyncAgentPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeEnableDelegationPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeManageVolumePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeImpersonatePrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeCreateGlobalPrivilege4332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: 314332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: 324332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: 334332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: 344332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: 354332f063a5ece410738e966ca8f7d3b3a495.exe
    Token: SeDebugPrivilege4056taskkill.exe
  • Suspicious use of WriteProcessMemory
    f063a5ece410738e966ca8f7d3b3a495.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4332 wrote to memory of 40684332f063a5ece410738e966ca8f7d3b3a495.execmd.exe
    PID 4332 wrote to memory of 40684332f063a5ece410738e966ca8f7d3b3a495.execmd.exe
    PID 4332 wrote to memory of 40684332f063a5ece410738e966ca8f7d3b3a495.execmd.exe
    PID 4068 wrote to memory of 40564068cmd.exetaskkill.exe
    PID 4068 wrote to memory of 40564068cmd.exetaskkill.exe
    PID 4068 wrote to memory of 40564068cmd.exetaskkill.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe
    "C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome.exe
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:4056
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • memory/4056-116-0x0000000000000000-mapping.dmp

                  • memory/4068-115-0x0000000000000000-mapping.dmp