socelars | 2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-06-2022 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe
Size

1.9MB
MD5

15f72ede1670137cc1be6aa7322cfaf7
SHA1

39223904b1c8b1a039f7fff34978e2723f2cf684
SHA256

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc
SHA512

e9922cbea70205943d815c1592895f7e4d3fad97fed1a514ec32e86c711c9eab77b785fc94135c2e2b323e528567580f9a6d3c66f92784690e3c0180cb2b59e1

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmpDiskScan.exe

pid process

900 2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
1720 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmpWerFault.exe

pid	process
2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe
900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
1076	WerFault.exe
1076	WerFault.exe
1076	WerFault.exe
1076	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1076 1720 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
1076	1720	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp

pid	process
900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp

pid process

900 2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmpDiskScan.exe

description	pid	process	target process
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 2040 wrote to memory of 900	2040	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
PID 900 wrote to memory of 1720	900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp	DiskScan.exe
PID 900 wrote to memory of 1720	900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp	DiskScan.exe
PID 900 wrote to memory of 1720	900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp	DiskScan.exe
PID 900 wrote to memory of 1720	900	2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp	DiskScan.exe
PID 1720 wrote to memory of 1076	1720	DiskScan.exe	WerFault.exe
PID 1720 wrote to memory of 1076	1720	DiskScan.exe	WerFault.exe
PID 1720 wrote to memory of 1076	1720	DiskScan.exe	WerFault.exe
PID 1720 wrote to memory of 1076	1720	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe
"C:\Users\Admin\AppData\Local\Temp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\is-ORANM.tmp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ORANM.tmp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp" /SL5="$60120,1242771,784384,C:\Users\Admin\AppData\Local\Temp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 492
4⤵
- Loads dropped DLL
- Program crash
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ORANM.tmp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ORANM.tmp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\is-ORANM.tmp\2d1106c065a163fbcef5b60ba5eceb22b75e2024e205c84494319fe1d912cffc.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
memory/900-58-0x0000000000000000-mapping.dmp

Download
memory/900-62-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/1076-69-0x0000000000000000-mapping.dmp

Download
memory/1720-65-0x0000000000000000-mapping.dmp

Download
memory/2040-55-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2040-68-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2040-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/2040-61-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download