socelars | 935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a

Analysis

max time kernel
54s
max time network
59s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe
Size

844KB
MD5

bace9540f70e635d99318c7cfa4a6c82
SHA1

82decd85f9506ebe210c36d6c0ab9c06365105c6
SHA256

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a
SHA512

ebb076438662bc1a1aca2e75a35f52484cd767282ae29faa1717b323adfc59fa89c95bbd98ecc269605d47d49bf6e5d4c947ed1b4a6dc7411da19cd38a8f1811

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmpDiskScan.exe

pid process

952 935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
1208 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmpWerFault.exe

pid	process
904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe
952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

320 1208 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
320	1208	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp

pid	process
952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp

pid process

952 935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmpDiskScan.exe

description	pid	process	target process
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 904 wrote to memory of 952	904	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
PID 952 wrote to memory of 1208	952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp	DiskScan.exe
PID 952 wrote to memory of 1208	952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp	DiskScan.exe
PID 952 wrote to memory of 1208	952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp	DiskScan.exe
PID 952 wrote to memory of 1208	952	935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp	DiskScan.exe
PID 1208 wrote to memory of 320	1208	DiskScan.exe	WerFault.exe
PID 1208 wrote to memory of 320	1208	DiskScan.exe	WerFault.exe
PID 1208 wrote to memory of 320	1208	DiskScan.exe	WerFault.exe
PID 1208 wrote to memory of 320	1208	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe
"C:\Users\Admin\AppData\Local\Temp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\is-QAH30.tmp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QAH30.tmp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp" /SL5="$60124,579731,121344,C:\Users\Admin\AppData\Local\Temp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 492
4⤵
- Loads dropped DLL
- Program crash
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QAH30.tmp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QAH30.tmp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
a4f31741712ef63adf483ba328799134

SHA1
0fcc0a7fad9a4cf0e608c62546f5e39494585157

SHA256
3b663ede7e2bdebaab3e2253f6c135b133a91edf92147692f6b87ff301a30d91

SHA512
3d15514506fca998b23df148bb59abe0d25c227c410c367f5577d95d5e14ac31eca78852e45a03caabe47685140d178548eb8aa10ac62965d24a304e370eb31d

Download Submit
\Users\Admin\AppData\Local\Temp\is-QAH30.tmp\935ab16af295890d21795edad0e53539110716d9007e8a8dab7fe3d406298b7a.tmp
Filesize
764KB

MD5
d30833e554463c73261f5b92d735e22a

SHA1
bac70c10e2b6f2d686c2e0cfe52750722f2107cd

SHA256
0056d30ceec26860014e0ad4a72f27efe9e122e7729cff71e34c3b84101e696e

SHA512
cf91ac768a9cbff960cd4ad04c4f6aeae840ac710bc37f81dca95ee356171333d6505bb97c9b7e40057ab377555af3e7dae0f77ce8adfbaab933824a22a342e1

Download Submit
memory/320-69-0x0000000000000000-mapping.dmp

Download
memory/904-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/904-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/904-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/904-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/952-62-0x00000000744A1000-0x00000000744A3000-memory.dmp

Filesize
8KB

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/1208-65-0x0000000000000000-mapping.dmp

Download