socelars | 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b

Analysis

max time kernel
57s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe
Size

1.9MB
MD5

abf7e26171a76f84b7548c70e4211c7b
SHA1

ffd622d897d936d5abf2bde3ad9ffad669987ceb
SHA256

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b
SHA512

0667bf7a70c2094fd5cb376de9a17a5dd66cfce32084276ea10011d80260a73f2ccf0ad3c0f8e35754fed09d9d3aaddd053cebad1581ae77db8c35c1cc3887e1

Score

10^/10

socelars discovery stealer upx

Malware Config

Extracted

Family

socelars

http://www.createinfo.pw/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpDiskScan.exe

pid process

2008 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
1992 DiskScan.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
behavioral1/memory/1992-69-0x0000000000400000-0x0000000000541000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
behavioral1/memory/1992-79-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpWerFault.exe

pid	process
872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe
2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 1992 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
840	1992	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp

pid	process
2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp

pid process

2008 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpDiskScan.exe

description	pid	process	target process
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 872 wrote to memory of 2008	872	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
PID 2008 wrote to memory of 1992	2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp	DiskScan.exe
PID 2008 wrote to memory of 1992	2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp	DiskScan.exe
PID 2008 wrote to memory of 1992	2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp	DiskScan.exe
PID 2008 wrote to memory of 1992	2008	7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp	DiskScan.exe
PID 1992 wrote to memory of 840	1992	DiskScan.exe	WerFault.exe
PID 1992 wrote to memory of 840	1992	DiskScan.exe	WerFault.exe
PID 1992 wrote to memory of 840	1992	DiskScan.exe	WerFault.exe
PID 1992 wrote to memory of 840	1992	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe
"C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\is-M19BN.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M19BN.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp" /SL5="$60122,1302781,816640,C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 508
4⤵
- Loads dropped DLL
- Program crash
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-M19BN.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M19BN.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\is-M19BN.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
memory/840-71-0x0000000000000000-mapping.dmp

Download
memory/872-61-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/872-70-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/872-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1992-69-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download
memory/1992-79-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2008-68-0x0000000004030000-0x0000000004171000-memory.dmp

Filesize
1.3MB

Download
memory/2008-62-0x00000000746D1000-0x00000000746D3000-memory.dmp

Filesize
8KB

Download
memory/2008-58-0x0000000000000000-mapping.dmp

Download