socelars | 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe
Size

1.9MB
MD5

20b489eaf040e049a47c082170acc9b8
SHA1

185eabfdd755f94c8eaa80baed99b5a4e06b3ca2
SHA256

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875
SHA512

1af4b40a3572aa0fdbd4c8b8cd974d0bff85d5c99203057e09abe222f24fce7e160d2155b8ec3b697bdd2efb65d1701a658c8d0f485ed0461af5a852561a6f3f

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmpDiskScan.exe

pid process

280 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
1708 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmpWerFault.exe

pid	process
1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe
280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

560 1708 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
560	1708	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

pid	process
280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

pid process

280 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmpDiskScan.exe

description	pid	process	target process
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 1556 wrote to memory of 280	1556	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 280 wrote to memory of 1708	280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 280 wrote to memory of 1708	280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 280 wrote to memory of 1708	280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 280 wrote to memory of 1708	280	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 1708 wrote to memory of 560	1708	DiskScan.exe	WerFault.exe
PID 1708 wrote to memory of 560	1708	DiskScan.exe	WerFault.exe
PID 1708 wrote to memory of 560	1708	DiskScan.exe	WerFault.exe
PID 1708 wrote to memory of 560	1708	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe
"C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\is-EJF2R.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EJF2R.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp" /SL5="$60122,1244772,784384,C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 492
4⤵
- Loads dropped DLL
- Program crash
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJF2R.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJF2R.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJF2R.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
memory/280-58-0x0000000000000000-mapping.dmp

Download
memory/280-62-0x00000000742F1000-0x00000000742F3000-memory.dmp

Filesize
8KB

Download
memory/560-69-0x0000000000000000-mapping.dmp

Download
memory/1556-68-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1556-61-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1556-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1556-55-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1708-65-0x0000000000000000-mapping.dmp

Download