Analysis Overview
SHA256
2570e4529bf20097068a2c4077330b27a910a018ba9967ed3ddde93c6aa81662
Threat Level: Known bad
The file 7b5d9e5737b3b7a1110f13cb72ca5842.exe was found to be: Known bad.
Malicious Activity Summary
Socelars Payload
Socelars family
Socelars
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Checks installed software on the system
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-25 12:41
Signatures
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socelars family
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-25 12:41
Reported
2021-12-25 12:43
Platform
win7-en-20211208
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 588 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1316 wrote to memory of 588 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1316 wrote to memory of 588 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1316 wrote to memory of 588 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 588 wrote to memory of 784 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 588 wrote to memory of 784 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 588 wrote to memory of 784 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 588 wrote to memory of 784 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe
"C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 93.184.220.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
Files
memory/1316-55-0x0000000074B21000-0x0000000074B23000-memory.dmp
memory/588-56-0x0000000000000000-mapping.dmp
memory/784-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-25 12:41
Reported
2021-12-25 12:43
Platform
win10-en-20211208
Max time kernel
83s
Max time network
123s
Command Line
Signatures
Socelars
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2224 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2224 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3192 wrote to memory of 580 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3192 wrote to memory of 580 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3192 wrote to memory of 580 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe
"C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 149.28.253.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| US | 93.184.220.29:80 | statuse.digitalcertvalidation.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
Files
memory/3192-115-0x0000000000000000-mapping.dmp
memory/580-116-0x0000000000000000-mapping.dmp