socelars | 88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Size

716KB
MD5

cf45e274907f0e7617c65aff09dea3c9
SHA1

5e9718ec8de99349d08ddbbcc1e037f284c7e0cb
SHA256

88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7
SHA512

79a79c42c184098f75b70b8cc77a4ca3a14cab968c69524b1654d7b5c3942ebd68126b3320f9b371bec4ba3e149df872319db562e8bc21c4ac6c2f66029b16bf
SSDEEP

12288:Ggu3SyqFkVKLj4Feawzv1ztGwmnjpSr5LCRmO7vuArkBKfoeY:GyL31tzYjcCRlqArkAf+

Score

10^/10

socelars spyware stealer

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral1/memory/2320-54-0x0000000000180000-0x00000000002F6000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2320	WerFault.exe	27

Kills process with taskkill 1 IoCs

evasion

pid	Process
1300	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeAssignPrimaryTokenPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeLockMemoryPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeIncreaseQuotaPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeMachineAccountPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeTcbPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeSecurityPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeTakeOwnershipPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeLoadDriverPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeSystemProfilePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeSystemtimePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeProfSingleProcessPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeIncBasePriorityPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeCreatePagefilePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeCreatePermanentPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeBackupPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeRestorePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeShutdownPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeDebugPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeAuditPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeSystemEnvironmentPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeChangeNotifyPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeRemoteShutdownPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeUndockPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeSyncAgentPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeEnableDelegationPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeManageVolumePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeImpersonatePrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeCreateGlobalPrivilege	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: 31	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: 32	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: 33	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: 34	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: 35	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
Token: SeDebugPrivilege	1300	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2764	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	29
PID 2320 wrote to memory of 2764	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	29
PID 2320 wrote to memory of 2764	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	29
PID 2320 wrote to memory of 2764	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	29
PID 2764 wrote to memory of 1300	2764	cmd.exe	31
PID 2764 wrote to memory of 1300	2764	cmd.exe	31
PID 2764 wrote to memory of 1300	2764	cmd.exe	31
PID 2764 wrote to memory of 1300	2764	cmd.exe	31
PID 2320 wrote to memory of 2440	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	33
PID 2320 wrote to memory of 2440	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	33
PID 2320 wrote to memory of 2440	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	33
PID 2320 wrote to memory of 2440	2320	88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe	33

C:\Users\Admin\AppData\Local\Temp\88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe
"C:\Users\Admin\AppData\Local\Temp\88d3db212ceae3e3fd22ad246bb9a6fb674845b6fb59ce789e132d2f6b00c1e7.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1496
  2⤵
  - Program crash
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d10c6f045a45839016233bef1a5c9fcb

SHA1
00a513d7464adf3c9e2f88dc273677120293566f

SHA256
48036e209b8ffe19a65e7b7926f7c5fd7772bfe3a2c4ca5bdb8c0329899d6183

SHA512
15c2210b1eeeacd7ccfff5432170a5536d3496d83702336d59905ae6280158f70786c2c1a8a9f804d10f0e880862b91a4d96a2bf51971e947634aea1b20381b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89AB.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8AA8.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2320-53-0x0000000000300000-0x0000000000374000-memory.dmp

Filesize
464KB

Download
memory/2320-54-0x0000000000180000-0x00000000002F6000-memory.dmp

Filesize
1.5MB

Download
memory/2320-135-0x0000000000300000-0x0000000000374000-memory.dmp

Filesize
464KB

Download