Analysis
-
max time kernel
206s -
max time network
239s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 06:22
General
-
Target
5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
-
Size
675KB
-
MD5
f18185c1617ef70a6298e02ec286b11b
-
SHA1
fde9f897241c40ea80540393370e5c730dd5a660
-
SHA256
5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82
-
SHA512
7223d406b66b90ea1b105aeb6a0cec08270df00d5be282387aef65eda2d914bf5ca2d3236dfac40d68e5a328e4df9fb2e2ea0ee7b1483d8a932e861a267de33c
-
SSDEEP
12288:HqlMhfymUyZzk8ri+hcGgn9cJBJYGahyHY2oSj97E6zUaCFBhCb0p:H5kxyZFe+hcGEXGwiY2jK5aS
Malware Config
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sauydga27/
Signatures
-
Socelars payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3548-133-0x0000000000400000-0x000000000058E000-memory.dmp family_socelars -
Processes:
resource yara_rule behavioral1/memory/3548-132-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/memory/3548-133-0x0000000000400000-0x000000000058E000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exedescription ioc process File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2728 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeAssignPrimaryTokenPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeLockMemoryPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeIncreaseQuotaPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeMachineAccountPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeTcbPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeSecurityPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeTakeOwnershipPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeLoadDriverPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeSystemProfilePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeSystemtimePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeProfSingleProcessPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeIncBasePriorityPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeCreatePagefilePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeCreatePermanentPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeBackupPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeRestorePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeShutdownPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeDebugPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeAuditPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeSystemEnvironmentPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeChangeNotifyPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeRemoteShutdownPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeUndockPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeSyncAgentPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeEnableDelegationPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeManageVolumePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeImpersonatePrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeCreateGlobalPrivilege 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: 31 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: 32 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: 33 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: 34 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: 35 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe Token: SeDebugPrivilege 2728 taskkill.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.execmd.exechrome.exedescription pid process target process PID 3548 wrote to memory of 3492 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe cmd.exe PID 3548 wrote to memory of 3492 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe cmd.exe PID 3548 wrote to memory of 3492 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe cmd.exe PID 3492 wrote to memory of 2728 3492 cmd.exe taskkill.exe PID 3492 wrote to memory of 2728 3492 cmd.exe taskkill.exe PID 3492 wrote to memory of 2728 3492 cmd.exe taskkill.exe PID 3548 wrote to memory of 3576 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe chrome.exe PID 3548 wrote to memory of 3576 3548 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe chrome.exe PID 3576 wrote to memory of 3396 3576 chrome.exe chrome.exe PID 3576 wrote to memory of 3396 3576 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe"C:\Users\Admin\AppData\Local\Temp\5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1cb34f50,0x7ffa1cb34f60,0x7ffa1cb34f703⤵