socelars | ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841

Analysis

max time kernel
37s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe
Size

1.9MB
MD5

f0faa31e557acb4d73a8351ee80b6a3e
SHA1

ba4f77d0b7803df4fca1d9b797dbc09b18c6501c
SHA256

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841
SHA512

afa4c1aaa236d61f5567decd1333c4b120e0b3265f2ce42d22197e30aa6ee11468e68ab6b0e2178809c4331850fa6ee0571ea86bb1315e8e3c92abc8dbc882fc

Score

10^/10

socelars discovery stealer upx

Malware Config

Extracted

Family

socelars

http://www.createinfo.pw/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmpDiskScan.exe

pid process

908 ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
1616 DiskScan.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
behavioral1/memory/1616-68-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1616-71-0x0000000000400000-0x0000000000541000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx

Loads dropped DLL 9 IoCs

Processes:

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exeef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmpWerFault.exe

pid	process
560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe
908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

552 1616 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
552	1616	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp

pid	process
908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp

pid process

908 ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exeef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmpDiskScan.exe

description	pid	process	target process
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 560 wrote to memory of 908	560	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
PID 908 wrote to memory of 1616	908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp	DiskScan.exe
PID 908 wrote to memory of 1616	908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp	DiskScan.exe
PID 908 wrote to memory of 1616	908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp	DiskScan.exe
PID 908 wrote to memory of 1616	908	ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp	DiskScan.exe
PID 1616 wrote to memory of 552	1616	DiskScan.exe	WerFault.exe
PID 1616 wrote to memory of 552	1616	DiskScan.exe	WerFault.exe
PID 1616 wrote to memory of 552	1616	DiskScan.exe	WerFault.exe
PID 1616 wrote to memory of 552	1616	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe
"C:\Users\Admin\AppData\Local\Temp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\is-ICS45.tmp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ICS45.tmp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp" /SL5="$60120,1302756,816640,C:\Users\Admin\AppData\Local\Temp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 504
4⤵
- Loads dropped DLL
- Program crash
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ICS45.tmp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ICS45.tmp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\is-ICS45.tmp\ef0d1682a04ee6f23153e295a9e66070464ffe903b8a7a8e393d55d12313e841.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
55307d9adfbcc76551eb24aa2f650dd4

SHA1
86bbbaa938d4a1f0077d30b661c0cfac40a079ff

SHA256
a65dcf1408ac9eab201fabf115df1dbe1516a713552e9ef58e0cacef7e05a97e

SHA512
35463548786681d53813b4b869e62a900f92e2f129afa8011a2260baaf5a76c6d27d2390d8a9be4fdea8d5d80ff3aafaafc87694c8751a8a551081768f939b57

Download Submit
memory/552-72-0x0000000000000000-mapping.dmp

Download
memory/560-70-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/560-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/560-61-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/560-55-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/908-67-0x0000000004030000-0x0000000004171000-memory.dmp

Filesize
1.3MB

Download
memory/908-62-0x00000000748F1000-0x00000000748F3000-memory.dmp

Filesize
8KB

Download
memory/908-58-0x0000000000000000-mapping.dmp

Download
memory/1616-71-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1616-68-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1616-65-0x0000000000000000-mapping.dmp

Download