socelars | 31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3

General

Target

31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Size

1.4MB
MD5

3d33b77fb2fab5484d79b9e8210e071d
SHA1

8ad49eb332c4acced160fccd2cba0df8a579abd7
SHA256

31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3
SHA512

fcc60b4466d3279bbdbac5a8ca3a020e9a7844384b463eba39f7d2efd7e519d5d48f942d3c6a67fb5ce732dc8dd55d2d4659213c58d05a807fdfa715cc75c1ae

Score

10^/10

socelars stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3604 taskkill.exe

pid	process
3604	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeAssignPrimaryTokenPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeLockMemoryPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeIncreaseQuotaPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeMachineAccountPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeTcbPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeSecurityPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeTakeOwnershipPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeLoadDriverPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeSystemProfilePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeSystemtimePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeProfSingleProcessPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeIncBasePriorityPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeCreatePagefilePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeCreatePermanentPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeBackupPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeRestorePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeShutdownPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeDebugPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeAuditPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeSystemEnvironmentPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeChangeNotifyPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeRemoteShutdownPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeUndockPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeSyncAgentPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeEnableDelegationPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeManageVolumePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeImpersonatePrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeCreateGlobalPrivilege	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: 31	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: 32	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: 33	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: 34	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: 35	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
Token: SeDebugPrivilege	3604	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.execmd.exe

description	pid	process	target process
PID 3924 wrote to memory of 3188	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe	cmd.exe
PID 3924 wrote to memory of 3188	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe	cmd.exe
PID 3924 wrote to memory of 3188	3924	31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe	cmd.exe
PID 3188 wrote to memory of 3604	3188	cmd.exe	taskkill.exe
PID 3188 wrote to memory of 3604	3188	cmd.exe	taskkill.exe
PID 3188 wrote to memory of 3604	3188	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe
"C:\Users\Admin\AppData\Local\Temp\31b03f6a6fae46fe00388be20bbd5e8432b816e0cfc056309de6d175e45677e3.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924