socelars | 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d

General

Target

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe
Size

843KB
MD5

bd5fd2cef4ecb1f30d097710877ab6d8
SHA1

a149aa5667dcc0431bab345503b7aa7c60c33b85
SHA256

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d
SHA512

ec2b2ff1194b0c2acde4bd582e23341903a7551d83cea1b01200e82f1e76311e97d67ef48b2ecdf2372a40b378c5197b5fa3bb25ce5b3199043c9d6fce3120f4

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmpDiskScan.exe

pid process

4956 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
2824 DiskScan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4588 2824 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
4588	2824	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

pid	process
4956	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
4956	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

pid process

4956 062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp

description	pid	process	target process
PID 3136 wrote to memory of 4956	3136	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 3136 wrote to memory of 4956	3136	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 3136 wrote to memory of 4956	3136	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
PID 4956 wrote to memory of 2824	4956	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 4956 wrote to memory of 2824	4956	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe
PID 4956 wrote to memory of 2824	4956	062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp	DiskScan.exe

C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe
"C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\is-CEFJJ.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CEFJJ.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp" /SL5="$8003A,579298,121344,C:\Users\Admin\AppData\Local\Temp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1200
4⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
f5a976999072c853ddb308ea860ad8b3

SHA1
9475168ec391ec8e815c7d4df933fe05e2d266d7

SHA256
42d9418059dcc77289938bb9bb6e2165082211b00b802c3a160214ef3b0ac943

SHA512
77a8281722e71ecedb69a1990fd308b76d187216fca96bc72a7ec6735865ee6e9c4e1d098a1cf14c8d23c3fd1cf05065ffba970eb6428b4970e66afa0795f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEFJJ.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEFJJ.tmp\062c2928d12af9e7e60cf35f0b82d6bb7909b188f7726ddff6bb2d811f251f4d.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
memory/2824-136-0x0000000000000000-mapping.dmp

Download
memory/3136-130-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3136-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3136-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads