Malware Analysis Report

2025-01-02 06:11

Sample ID 230129-v6rjnaff78
Target c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91
SHA256 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91
Tags
socelars discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91

Threat Level: Known bad

The file c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91 was found to be: Known bad.

Malicious Activity Summary

socelars discovery stealer

Socelars

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 17:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 17:36

Reported

2023-01-29 17:39

Platform

win7-20221111-en

Max time kernel

24s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

Signatures

Socelars

stealer socelars

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1224 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
PID 1812 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe
PID 1812 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe
PID 1812 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe
PID 1812 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe
PID 1148 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe C:\Windows\SysWOW64\WerFault.exe
PID 1148 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe C:\Windows\SysWOW64\WerFault.exe
PID 1148 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe C:\Windows\SysWOW64\WerFault.exe
PID 1148 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe

"C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp" /SL5="$7012C,1248603,784384,C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

"C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 592

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.geoplugin.net udp
N/A 178.237.33.50:80 www.geoplugin.net tcp

Files

memory/1224-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

memory/1224-55-0x0000000000400000-0x00000000004CD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

MD5 ce5267795af9aa0df86c9406686a9296
SHA1 eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA256 0be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512 d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47

C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

MD5 ce5267795af9aa0df86c9406686a9296
SHA1 eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA256 0be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512 d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47

memory/1812-58-0x0000000000000000-mapping.dmp

memory/1224-60-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/1812-62-0x0000000074E71000-0x0000000074E73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

MD5 ce5267795af9aa0df86c9406686a9296
SHA1 eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA256 0be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512 d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47

\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

memory/1148-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

memory/1224-68-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/1856-69-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 17:36

Reported

2023-01-29 17:39

Platform

win10v2004-20221111-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

Signatures

Socelars

stealer socelars

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe

"C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp" /SL5="$9006C,1248603,784384,C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"

C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

"C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1244

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 www.geoplugin.net udp
N/A 178.237.33.50:80 www.geoplugin.net tcp
N/A 93.184.220.29:80 tcp
N/A 8.248.99.254:80 tcp
N/A 104.208.16.90:443 tcp
N/A 8.248.99.254:80 tcp
N/A 8.248.99.254:80 tcp
N/A 8.248.99.254:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.248.99.254:80 tcp
N/A 8.247.211.254:80 tcp

Files

memory/2760-132-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2760-134-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

MD5 ce5267795af9aa0df86c9406686a9296
SHA1 eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA256 0be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512 d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47

memory/4680-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-GTGKO.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp

MD5 ce5267795af9aa0df86c9406686a9296
SHA1 eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA256 0be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512 d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47

memory/5040-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe

MD5 86443429e6c9b2b90755676c9f0996ea
SHA1 b389c7903305ad002f1c3bfb817000dafdc24783
SHA256 04ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512 ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4

memory/2760-141-0x0000000000400000-0x00000000004CD000-memory.dmp