socelars | 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875

General

Target

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe
Size

1.9MB
MD5

20b489eaf040e049a47c082170acc9b8
SHA1

185eabfdd755f94c8eaa80baed99b5a4e06b3ca2
SHA256

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875
SHA512

1af4b40a3572aa0fdbd4c8b8cd974d0bff85d5c99203057e09abe222f24fce7e160d2155b8ec3b697bdd2efb65d1701a658c8d0f485ed0461af5a852561a6f3f

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmpDiskScan.exe

pid process

4980 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
4928 DiskScan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5080 4928 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
5080	4928	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

pid	process
4980	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
4980	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

pid process

4980 396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp

description	pid	process	target process
PID 4228 wrote to memory of 4980	4228	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 4228 wrote to memory of 4980	4228	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 4228 wrote to memory of 4980	4228	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
PID 4980 wrote to memory of 4928	4980	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 4980 wrote to memory of 4928	4980	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe
PID 4980 wrote to memory of 4928	4980	396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp	DiskScan.exe

C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe
"C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\is-4JLJ4.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4JLJ4.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp" /SL5="$901CE,1244772,784384,C:\Users\Admin\AppData\Local\Temp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
3⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1212
4⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4928 -ip 4928
1⤵
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
Filesize
1.1MB

MD5
46d380dc43a98463afcdf562f55416bd

SHA1
c92edab2128908f8c86f6ed6e971db4b8b2aa77d

SHA256
f28d5f9277e2c0ee3cdee500666991e02dc8040e4790ab3d837dcf3b432ca4cc

SHA512
6736239217beb91b257954ccd1d170a596fcf3a06cf40b99133f18519e5713310113a5d21aded0f78392f1565b544b63c977e17f861101e9640074049195e100

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4JLJ4.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4JLJ4.tmp\396db407c256a9d986e6c9236b138a45a8d036db66fada0986c1de5358fa9875.tmp
Filesize
2.5MB

MD5
5f28081693a97336a2d7df877044fcde

SHA1
9d710db6c618906d9b2e355bb8b2e0b5ab014bad

SHA256
5751a4c9713b058ba5cd757c405865702bee0926d5086efbaa4add627984362d

SHA512
48a8f91d57456409d82e8c5277a494e44e6d71d315cf1d5cfe9bea0ad8797d20a587d2fa7a123cbc4439eb74e6411f7d39743ddf4780abf3826cc7072276fb2f

Download Submit
memory/4228-130-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4228-134-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4228-139-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4228-140-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4928-136-0x0000000000000000-mapping.dmp

Download
memory/4980-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads