socelars | 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1

General

Target

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe
Size

1.9MB
MD5

af660b2f594ebabe05a4c4aa117d24f3
SHA1

f16395923445903b3ef674ff250c91b70c87a4aa
SHA256

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1
SHA512

b015b24fb7fc445b8f568e46a153acbc18f56705d4af6a05c3cd8ab7c38643ced16ee06c6240cd7b14b4bf71cd849aa3f22ca5db76f7ca2a2ead1469bda754ad

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmpDiskScan.exe

pid process

3004 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
2288 DiskScan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2064 2288 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
2064	2288	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

pid	process
3004	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
3004	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

pid process

3004 4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp

description	pid	process	target process
PID 2116 wrote to memory of 3004	2116	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 2116 wrote to memory of 3004	2116	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 2116 wrote to memory of 3004	2116	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
PID 3004 wrote to memory of 2288	3004	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 3004 wrote to memory of 2288	3004	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe
PID 3004 wrote to memory of 2288	3004	4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp	DiskScan.exe

C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe
"C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\is-N702K.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N702K.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp" /SL5="$501C6,1255089,809984,C:\Users\Admin\AppData\Local\Temp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1200
4⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2288 -ip 2288
1⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
e55e34c44364e591b70c6146c1419c0a

SHA1
7fd802274a79d359f7cf7c03f86b13326089303b

SHA256
238dc0eb1fd09cd7f83acda372161355247ebc2d9e1c24072c4d745c7c6af716

SHA512
a3ee524390ad3e689b2e838b251b24203291227f2ad95b4087c157d5550c0b22651ba6f36a43c1084cfebab3a1aaabdc8232e4fab742039ab00411c40ce7d09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N702K.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N702K.tmp\4201a182b47ffee677c19384e33100bc293a8963a7b3522fd4d8893fa7bc60d1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/2116-130-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2116-132-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2116-136-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2116-140-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2288-137-0x0000000000000000-mapping.dmp

Download
memory/3004-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads