socelars | 5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82

General

Target

5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Size

675KB
MD5

f18185c1617ef70a6298e02ec286b11b
SHA1

fde9f897241c40ea80540393370e5c730dd5a660
SHA256

5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82
SHA512

7223d406b66b90ea1b105aeb6a0cec08270df00d5be282387aef65eda2d914bf5ca2d3236dfac40d68e5a328e4df9fb2e2ea0ee7b1483d8a932e861a267de33c
SSDEEP

12288:HqlMhfymUyZzk8ri+hcGgn9cJBJYGahyHY2oSj97E6zUaCFBhCb0p:H5kxyZFe+hcGEXGwiY2jK5aS

Score

10^/10

socelars spyware stealer upx

Malware Config

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sauydga27/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3548-133-0x0000000000400000-0x000000000058E000-memory.dmp	family_socelars

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3548-132-0x0000000000400000-0x000000000058E000-memory.dmp	upx
behavioral1/memory/3548-133-0x0000000000400000-0x000000000058E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2728 taskkill.exe

pid	process
2728	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeAssignPrimaryTokenPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeLockMemoryPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeIncreaseQuotaPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeMachineAccountPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeTcbPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeSecurityPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeTakeOwnershipPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeLoadDriverPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeSystemProfilePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeSystemtimePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeProfSingleProcessPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeIncBasePriorityPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeCreatePagefilePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeCreatePermanentPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeBackupPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeRestorePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeShutdownPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeDebugPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeAuditPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeSystemEnvironmentPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeChangeNotifyPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeRemoteShutdownPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeUndockPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeSyncAgentPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeEnableDelegationPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeManageVolumePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeImpersonatePrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeCreateGlobalPrivilege	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: 31	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: 32	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: 33	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: 34	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: 35	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
Token: SeDebugPrivilege	2728	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.execmd.exechrome.exe

description	pid	process	target process
PID 3548 wrote to memory of 3492	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe	cmd.exe
PID 3548 wrote to memory of 3492	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe	cmd.exe
PID 3548 wrote to memory of 3492	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe	cmd.exe
PID 3492 wrote to memory of 2728	3492	cmd.exe	taskkill.exe
PID 3492 wrote to memory of 2728	3492	cmd.exe	taskkill.exe
PID 3492 wrote to memory of 2728	3492	cmd.exe	taskkill.exe
PID 3548 wrote to memory of 3576	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe	chrome.exe
PID 3548 wrote to memory of 3576	3548	5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe	chrome.exe
PID 3576 wrote to memory of 3396	3576	chrome.exe	chrome.exe
PID 3576 wrote to memory of 3396	3576	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe
"C:\Users\Admin\AppData\Local\Temp\5125698974e08a13396bc77aa7113e3d45360f723596ca3ec88838bb08359c82.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1cb34f50,0x7ffa1cb34f60,0x7ffa1cb34f70
3⤵
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-135-0x0000000000000000-mapping.dmp

Download
memory/3492-134-0x0000000000000000-mapping.dmp

Download
memory/3548-132-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3548-133-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads