socelars | 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216

General

Target

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe
Size

1.9MB
MD5

9ca48260d3b65c551acc59f1c8264368
SHA1

ea4e90eed1c9d65e59e0711dea5005c18f2dedff
SHA256

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216
SHA512

2eaa17ae0ed3fe1e52bb9b05aa620e64f3fb0ac54312a752a52353710cb6b612d790da70e37831d628840a57b931d54c08114b757b0bfaee15d0f17d31f07ee9

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmpDiskScan.exe

pid process

2464 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
3456 DiskScan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 3456 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
3792	3456	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

pid	process
2464	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
2464	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

pid process

2464 3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp

description	pid	process	target process
PID 992 wrote to memory of 2464	992	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 992 wrote to memory of 2464	992	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 992 wrote to memory of 2464	992	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
PID 2464 wrote to memory of 3456	2464	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 2464 wrote to memory of 3456	2464	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe
PID 2464 wrote to memory of 3456	2464	3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp	DiskScan.exe

C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe
"C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\is-J1IUS.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J1IUS.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp" /SL5="$701D6,1255186,809984,C:\Users\Admin\AppData\Local\Temp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe"
3⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1176
4⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3456 -ip 3456
1⤵
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiskProtect190916\DiskScan.exe
Filesize
1.1MB

MD5
c1f37e9770e7de31a82e120cacd687b5

SHA1
09d586ce77d44bdbbda0c2ed223c272d1c0888a9

SHA256
282348dd54dc04640f389c7e81f06dc37da26df6c3a7839fc614da0c36b8b5b6

SHA512
4cd8b882027281fb85146f9fec13b35fd9b6eb9e76a1b03ae14bcbcd2a1b694cc8551a183b66c6ee5d557226b27151797e8278f4dabf734875ee42ab16526993

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J1IUS.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J1IUS.tmp\3435f5289acb0e81ac336c58a4e7889acb3bd4a6e5f1fbaee1c98d5cdecf7216.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/992-130-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/992-134-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/992-139-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2464-132-0x0000000000000000-mapping.dmp

Download
memory/3456-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads