Overview

overview

10

Static

static

10

8194c5a8a1...1f.exe

windows7-x64

10

8194c5a8a1...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8194c5a8a145a9c76349c08afc5caa1f.exe

  • Size

    675KB

  • MD5

    8194c5a8a145a9c76349c08afc5caa1f

  • SHA1

    059ec1283f5d812533d662c3d569eb286973602e

  • SHA256

    4651270dd4ecec382fc2b62f0f946379107945dea1b36f168be59db502be81ee

  • SHA512

    1443cb59203de429f7f12e75af0912a372e83d6fd74508f514affdad6545c0883b77fd3b227be709145882088868a5c90389b4a527e5621e14ad5127237b6d24

  • SSDEEP

    12288:xqlMhfymUyZzk8ri+hcGgn9cJBJYGahyHY2oSjqOe6zUDmg:x5kxyZFe+hcGEXGwiY2j25

Score
10/10
socelarsspywarestealerupx

Malware Config

Signatures

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8194c5a8a145a9c76349c08afc5caa1f.exe
    "C:\Users\Admin\AppData\Local\Temp\8194c5a8a145a9c76349c08afc5caa1f.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:448
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc14db4f50,0x7ffc14db4f60,0x7ffc14db4f70
        3⤵
          PID:4916

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/448-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4204-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4900-132-0x0000000000400000-0x000000000058E000-memory.dmp
      Filesize

      1.6MB

      Download