socelars | acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1

Analysis

max time kernel
100s
max time network
109s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe
Size

1.9MB
MD5

db367c514ab76f8d78125f38173f16a3
SHA1

952cca78e59b6e2235d128c7f0669e22c552a83d
SHA256

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1
SHA512

a84f043167960be13874951a563c95453760c251e3fa1634a519ac4fa499250f826735ddc30e65fae9bc94cbe0eabeaf71794af6c7ce7d3d462a2d7d9a3df2a1
SSDEEP

24576:qTfEWQMHi9jzdDnAOnCncwDg6TX8lXqLwr63mYmHfAlOFpe8Qk+Th/DNs0o+:UcW4fTWTTslXqLw+3m5Al98uTBhs0o+

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmpDiskScan.exe

pid process

1016 acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
1100 DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exeacacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmpWerFault.exe

pid	process
836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe
1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 1100 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
1976	1100	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

pid	process
1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

pid process

1016 acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exeacacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmpDiskScan.exe

description	pid	process	target process
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 836 wrote to memory of 1016	836	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 1016 wrote to memory of 1100	1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 1016 wrote to memory of 1100	1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 1016 wrote to memory of 1100	1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 1016 wrote to memory of 1100	1016	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 1100 wrote to memory of 1976	1100	DiskScan.exe	WerFault.exe
PID 1100 wrote to memory of 1976	1100	DiskScan.exe	WerFault.exe
PID 1100 wrote to memory of 1976	1100	DiskScan.exe	WerFault.exe
PID 1100 wrote to memory of 1976	1100	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe
"C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\is-NUHC1.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NUHC1.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp" /SL5="$70124,1255174,809984,C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 564
4⤵
- Loads dropped DLL
- Program crash
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NUHC1.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NUHC1.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
\Users\Admin\AppData\Local\Temp\is-NUHC1.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/836-69-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/836-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/836-62-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/836-57-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/836-55-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1016-63-0x0000000074441000-0x0000000074443000-memory.dmp

Filesize
8KB

Download
memory/1016-59-0x0000000000000000-mapping.dmp

Download
memory/1100-66-0x0000000000000000-mapping.dmp

Download
memory/1976-70-0x0000000000000000-mapping.dmp

Download