socelars | 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-06-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe
Size

1.9MB
MD5

9ca48260d3b65c551acc59f1c8264368
SHA1

ea4e90eed1c9d65e59e0711dea5005c18f2dedff
SHA256

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216
SHA512

2eaa17ae0ed3fe1e52bb9b05aa620e64f3fb0ac54312a752a52353710cb6b612d790da70e37831d628840a57b931d54c08114b757b0bfaee15d0f17d31f07ee9

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmpDiskScan.exe

pid process

1076 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
2024 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmpWerFault.exe

pid	process
1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe
1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 2024 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
1976	2024	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

pid	process
1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

pid process

1076 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmpDiskScan.exe

description	pid	process	target process
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1912 wrote to memory of 1076	1912	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 1076 wrote to memory of 2024	1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 1076 wrote to memory of 2024	1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 1076 wrote to memory of 2024	1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 1076 wrote to memory of 2024	1076	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 2024 wrote to memory of 1976	2024	DiskScan.exe	WerFault.exe
PID 2024 wrote to memory of 1976	2024	DiskScan.exe	WerFault.exe
PID 2024 wrote to memory of 1976	2024	DiskScan.exe	WerFault.exe
PID 2024 wrote to memory of 1976	2024	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe
"C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\is-M1TAH.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M1TAH.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp" /SL5="$70022,1255186,809984,C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 504
4⤵
- Loads dropped DLL
- Program crash
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1TAH.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1TAH.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
\Users\Admin\AppData\Local\Temp\is-M1TAH.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/1076-58-0x0000000000000000-mapping.dmp

Download
memory/1076-61-0x0000000074171000-0x0000000074173000-memory.dmp

Filesize
8KB

Download
memory/1912-68-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1912-63-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1912-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1912-55-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1976-69-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x0000000000000000-mapping.dmp

Download