socelars | 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe
Size

1.9MB
MD5

af660b2f594ebabe05a4c4aa117d24f3
SHA1

f16395923445903b3ef674ff250c91b70c87a4aa
SHA256

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1
SHA512

b015b24fb7fc445b8f568e46a153acbc18f56705d4af6a05c3cd8ab7c38643ced16ee06c6240cd7b14b4bf71cd849aa3f22ca5db76f7ca2a2ead1469bda754ad

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmpDiskScan.exe

pid process

1732 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
1104 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmpWerFault.exe

pid	process
1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe
1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1600 1104 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
1600	1104	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

pid	process
1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

pid process

1732 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmpDiskScan.exe

description	pid	process	target process
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1880 wrote to memory of 1732	1880	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 1732 wrote to memory of 1104	1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 1732 wrote to memory of 1104	1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 1732 wrote to memory of 1104	1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 1732 wrote to memory of 1104	1732	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 1104 wrote to memory of 1600	1104	DiskScan.exe	WerFault.exe
PID 1104 wrote to memory of 1600	1104	DiskScan.exe	WerFault.exe
PID 1104 wrote to memory of 1600	1104	DiskScan.exe	WerFault.exe
PID 1104 wrote to memory of 1600	1104	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe
"C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\is-V9UUR.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V9UUR.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp" /SL5="$60122,1255089,809984,C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 456
4⤵
- Loads dropped DLL
- Program crash
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V9UUR.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V9UUR.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
\Users\Admin\AppData\Local\Temp\is-V9UUR.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/1104-66-0x0000000000000000-mapping.dmp

Download
memory/1600-70-0x0000000000000000-mapping.dmp

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1732-62-0x00000000742A1000-0x00000000742A3000-memory.dmp

Filesize
8KB

Download
memory/1880-64-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1880-69-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1880-60-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1880-55-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download