socelars | 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
31-05-2022 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe
Size

843KB
MD5

bd5fd2cef4ecb1f30d097710877ab6d8
SHA1

a149aa5667dcc0431bab345503b7aa7c60c33b85
SHA256

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d
SHA512

ec2b2ff1194b0c2acde4bd582e23341903a7551d83cea1b01200e82f1e76311e97d67ef48b2ecdf2372a40b378c5197b5fa3bb25ce5b3199043c9d6fce3120f4

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmpDiskScan.exe

pid process

1404 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
1740 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmpWerFault.exe

pid	process
2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe
1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1492 1740 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
1492	1740	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

pid	process
1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

pid process

1404 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmpDiskScan.exe

description	pid	process	target process
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 2020 wrote to memory of 1404	2020	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 1404 wrote to memory of 1740	1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 1404 wrote to memory of 1740	1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 1404 wrote to memory of 1740	1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 1404 wrote to memory of 1740	1404	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 1740 wrote to memory of 1492	1740	DiskScan.exe	WerFault.exe
PID 1740 wrote to memory of 1492	1740	DiskScan.exe	WerFault.exe
PID 1740 wrote to memory of 1492	1740	DiskScan.exe	WerFault.exe
PID 1740 wrote to memory of 1492	1740	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe
"C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\is-N995V.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N995V.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp" /SL5="$60124,579298,121344,C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 496
4⤵
- Loads dropped DLL
- Program crash
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N995V.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N995V.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
\Users\Admin\AppData\Local\Temp\is-N995V.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
memory/1404-59-0x0000000000000000-mapping.dmp

Download
memory/1404-62-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1740-65-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2020-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download
memory/2020-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2020-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download