socelars | acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d

General

Target

acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Size

1.4MB
MD5

f743fe2fb172e1077b3a8ef52ac1a8bb
SHA1

0ec642903f4150a1a9f928a1bf15e1d6cc2031de
SHA256

acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d
SHA512

8865d5fae693325792c3942ca3da64d841a0f96bab40ae6b49099e22736c350b0922954cc768ec603532f95805330236bf1e9e8a2c847669bb8c63addb57f25c
SSDEEP

24576:kwpk4V9rRM1oDb+enGs2Q6E9ZBJRPHJYrFSJ84ufUxKF6ug:hpRc1OMcV8sJjAUxKsug

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1832 taskkill.exe

pid	process
1832	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeAssignPrimaryTokenPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeLockMemoryPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeIncreaseQuotaPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeMachineAccountPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeTcbPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeSecurityPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeTakeOwnershipPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeLoadDriverPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeSystemProfilePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeSystemtimePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeProfSingleProcessPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeIncBasePriorityPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeCreatePagefilePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeCreatePermanentPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeBackupPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeRestorePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeShutdownPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeDebugPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeAuditPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeSystemEnvironmentPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeChangeNotifyPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeRemoteShutdownPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeUndockPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeSyncAgentPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeEnableDelegationPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeManageVolumePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeImpersonatePrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeCreateGlobalPrivilege	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: 31	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: 32	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: 33	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: 34	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: 35	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Token: SeDebugPrivilege	1832	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1476	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe	cmd.exe
PID 1516 wrote to memory of 1476	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe	cmd.exe
PID 1516 wrote to memory of 1476	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe	cmd.exe
PID 1516 wrote to memory of 1476	1516	acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe	cmd.exe
PID 1476 wrote to memory of 1832	1476	cmd.exe	taskkill.exe
PID 1476 wrote to memory of 1832	1476	cmd.exe	taskkill.exe
PID 1476 wrote to memory of 1832	1476	cmd.exe	taskkill.exe
PID 1476 wrote to memory of 1832	1476	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
"C:\Users\Admin\AppData\Local\Temp\acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-55-0x0000000000000000-mapping.dmp

Download
memory/1516-54-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1832-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads